[issue30500] urllib connects to a wrong host

STINNER Victor added the comment: > I think the best behavior is to do what popular web browsers do. Chrome and > Firefox, for example, parses this is host 127.0.0.1, path /, fragment > #@evil.com. I agree that in case of doubt, it's better to follow the implementation of most popular web

[issue30500] urllib connects to a wrong host

Nam Nguyen added the comment: I think the best behavior is to do what popular web browsers do. Chrome and Firefox, for example, parses this is host 127.0.0.1, path /, fragment #@evil.com. If the code does want to support username/password, it should do a custom opener (with basic HTTP

[issue30500] urllib connects to a wrong host

Changes by Nam Nguyen : -- pull_requests: +1937 ___ Python tracker ___ ___

[issue30500] urllib connects to a wrong host

Martin Panter added the comment: See also Issue 18140, where it looks like people _want_ the hash (#) to be part of the username and/or password. Another option may be to raise an exception. -- nosy: +martin.panter ___ Python tracker

[issue30500] urllib connects to a wrong host

Changes by Mariatta Wijaya : -- versions: +Python 3.5, Python 3.6 ___ Python tracker ___

[issue30500] urllib connects to a wrong host

New submission from Nam Nguyen: Reported by Orange Tsai: == Hi, Python Security Team import urllib from urlparse import urlparse url = 'http://127.0.0.1#@evil.com/' print urlparse(url).netloc # 127.0.0.1 print urllib.urlopen(url).read()# will access evil.com I have