> On 5 Sep 2019, at 16:18, Random832 <random...@fastmail.com> wrote:
Thanks for taking the time to reply.
>
> On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
>> The conclusion I reached is that the CVE only applies to client code
>> that allows a URL in unicode to be entered.
>>
>> Have I missed something important in the analysis?
>
> While as I mentioned in my other post I'm not sure if the CVE's analysis of
> URL behavior is correct generally,
Agreed, would have liked to have had more details and context.
> you have missed the fact that an HTML page can provide URLs in unicode,
> either with the page itself encoded in UTF-8, or with whatever characters
> escaped as XML character references... not only as bytes in IDNA or
> percent-escaped hex. The same principle applies to other formats in which
> URLs might be interchanged as encoded unicode strings, such as JSON. The fact
> that accessing such a URL requires converting the non-ASCII parts to IDNA
> (for the domain part) or percent-escaped hex (for other parts) doesn't limit
> this to user input.
>
> <a href="https://example.com#@bing.com">like this</a>
That gets the unicode version into the app and then the bug can be triggered.
In my case this is not a way in as the code does not parse web pages.
Barry
> --
> https://mail.python.org/mailman/listinfo/python-list
>
--
https://mail.python.org/mailman/listinfo/python-list