Xianbo Wang <sane...@gmail.com> added the comment:
Python2 urlparse.urlparse and urllib2.urlparse.urlparse have a similar IPv6 hostname parsing bug. >>> urlparse.urlparse('http://nevil.com[]').hostname >>> 'evil.com[' This is less practical to exploit since the parsed domain contains a '[' in the end. Do I need to create a separate issue for this Python2 bug? I think the way PR 14896 fix the python3 bug can also be applied to this. Also, do we need a CVE ID for the python3 bug? As it may lead to some security issues in some Python apps, e.g., open-redirect. I have found such a case in a private bug bounty program. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36338> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com