But still thanks :) I will try to ask for allocating a CVE from https://cve.mitre.org/
2017-03-07 3:05 GMT+08:00 Orange Tsai <[email protected]>: > Oops > > That my fault. I sent the wrong mail. > > Very sorry :( > > 2017-03-07 3:03 GMT+08:00 Tim Rühsen <[email protected]>: > >> On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote: >> > I am surprise that `http://[email protected]:[email protected]` will connect to ` >> > evil.com`, not `good.com`. >> > Most of URL parser will recognize `good.com` is host part. Like this >> > advisory, https://curl.haxx.se/docs/adv_20161102J.html >> > It seem more dangerous if a developer still rely on the result of parse >> URL >> > than my original report. >> > >> > Some testing: >> > $ python try.py 'http://[email protected]:[email protected]/x' >> > >> > Python scheme=http, [email protected]:[email protected], port= >> > PHP scheme=http, host=127.2.2.2, port= >> > Perl scheme=http, host=127.2.2.2, port=80 >> > Ruby2 scheme=http, host=127.2.2.2, port= >> > GO scheme=http, host=127.2.2.2, port= >> > Java scheme=http, host=, port=-1 >> > JS scheme=http, host=127.2.2.2, port=null >> > >> > >> > >> > But it seems also the same root cause and fixed at this patch. :) >> > By the way, would you mind that allocating a CVE-ID to address this? >> >> I'd appreciate that. But I never did that, so who does allocate a CVE how >> and >> where ? I am willing to learn :-) >> >> Tim >> > > > > -- > - Orange - > -- - Orange -
