Oops That my fault. I sent the wrong mail.
Very sorry :( 2017-03-07 3:03 GMT+08:00 Tim Rühsen <[email protected]>: > On Dienstag, 7. März 2017 02:01:06 CET Orange Tsai wrote: > > I am surprise that `http://[email protected]:[email protected]` will connect to ` > > evil.com`, not `good.com`. > > Most of URL parser will recognize `good.com` is host part. Like this > > advisory, https://curl.haxx.se/docs/adv_20161102J.html > > It seem more dangerous if a developer still rely on the result of parse > URL > > than my original report. > > > > Some testing: > > $ python try.py 'http://[email protected]:[email protected]/x' > > > > Python scheme=http, [email protected]:[email protected], port= > > PHP scheme=http, host=127.2.2.2, port= > > Perl scheme=http, host=127.2.2.2, port=80 > > Ruby2 scheme=http, host=127.2.2.2, port= > > GO scheme=http, host=127.2.2.2, port= > > Java scheme=http, host=, port=-1 > > JS scheme=http, host=127.2.2.2, port=null > > > > > > > > But it seems also the same root cause and fixed at this patch. :) > > By the way, would you mind that allocating a CVE-ID to address this? > > I'd appreciate that. But I never did that, so who does allocate a CVE how > and > where ? I am willing to learn :-) > > Tim > -- - Orange -
