New submission from Xianbo Wang <sane...@gmail.com>:

The urlparse function in Python urllib returns the wrong hostname when parsing 
URL crafted by the malicious user. This may be caused by incorrect handling of 
IPv6 addresses. The bug could lead to open redirect in web applications which 
rely on urlparse to extract and validate the domain of redirection URL.

The test case is as follows:

>>> from urllib.parse import urlparse
>>> urlparse(urlparse('http://benign.com\[attacker.com]').hostname
>>> 'attacker.com'

The correct behavior should be raising an invalid URL exception.

----------
components: Library (Lib)
messages: 338171
nosy: Xianbo Wang
priority: normal
severity: normal
status: open
title: urlparse of urllib returns wrong hostname
type: security
versions: Python 3.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue36338>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to