New submission from Neeraj Sonaniya <nsonaniya2...@gmail.com>:
Summary: It have been identified that `urlparse` under `urllib.parse` module is detecting wrong hostname which could leads to a security issue known as Open redirect vulnerability. Steps to reproduce the issue: Following code will help you in reproducing the issue: ``` from urllib.parse import urlparse x= 'http://www.google.com\@xxx.com' y = urlparse(x) print(y.hostname) ``` Output: xxx.com The hostname from above URL which is actually rendered by browser is : 'https://www.google.com'. In following browsers tested: (hostname detected as: https://www.google.com) ``` 1. Chromium - Version 72.0.3626.7 - Developer Build 2. Firefox - 60.4.0esr (64-bit) 3. Internet Explorer - 11.0.9600.17843 4. Safari - Version 12.0.2 (14606.3.4) ``` ---------- components: Library (Lib) files: Screenshot from 2019-01-16 12-47-22.png messages: 333750 nosy: nsonaniya2010, orsenthil priority: normal severity: normal status: open title: urlparse library detecting wrong hostname leads to open redirect vulnerability type: security versions: Python 3.6, Python 3.7, Python 3.8 Added file: https://bugs.python.org/file48058/Screenshot from 2019-01-16 12-47-22.png _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35748> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com