[issue40338] [Security] urllib and anti-slash (\) in the hostname

STINNER Victor added the comment: We consider that the stdlib is not vulnerable, so I close the issue. Feel free to report vulnerabilities to third party projects which are vulnerable. Thanks for the report anyway David Schütz! -- resolution: -> not a bug stage: -> resolved

[issue40338] [Security] urllib and anti-slash (\) in the hostname

Riccardo Schirone added the comment: I agree I don't see a clear vulnerability here. -- nosy: +rschiron ___ Python tracker ___ ___

[issue40338] [Security] urllib and anti-slash (\) in the hostname

hai shi added the comment: >It seems to behave as expected +1. This is an interesting test;) -- ___ Python tracker ___ ___

[issue40338] [Security] urllib and anti-slash (\) in the hostname

Change by hai shi : -- nosy: +shihai1991 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue40338] [Security] urllib and anti-slash (\) in the hostname

STINNER Victor added the comment: (The first message is basically David's email rephrased. Here is my reply ;-)) > This could present issues if server-side checks are used by applications to > validate a URLs authority. Which kind of application would be affected by this vulnerability?

[issue40338] [Security] urllib and anti-slash (\) in the hostname

New submission from STINNER Victor : David Schütz reported the following urllib vulnerability to the PSRT at 2020-03-29. He wrote an article about a similar vulnerability in Closure (Javascript): https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ David