[issue2504] Add gettext.pgettext() and variants support
Hanno Zulla added the comment: Can we please get pgettext for Python? -- nosy: +Hanno.Zulla ___ Python tracker <http://bugs.python.org/issue2504> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: we should at least check if the .port attribute is an intereger >= 1 and <= 65535. _because_ this is the only valid port range. otherwise, it is no valid port. but it may be a integer overflow attack attempt when a developer uses .port, he is counting on the result being valid -- ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: Your comment is completely senseless, sorry. Of course such high port numbers do not exist. An attacker is counting on that. Imagine something like that pass_to_cython(urlparse("http://google.de:99**99[to be calculated]").port) -- ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: >>> u("http://www.google.com:99";).port 99L -- ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: I understand your point of view, but I disagree. Various libraries and projects rely on urlparse.urlparse and urllib.parse.urlparse. This bug just blew up in my face. I'm working with Cython and PyQt4. When a developer relies on ParseResult().netloc being a valid netloc, and .port being None [bool(False)] or a integer between 1-65535 really bad things can happen in a environment that has 0-tolerance for security issues (like C/C++ mixed in python). I agree that the if self.scheme == "http": return 80 elif self.scheme == "https": [...] part of my patch is debetable, but we should _at least_ ensure that IF there is a ParseResult().port, the developer can be sure that it is a valid port between 1-65545. i apologize for upload the whole file; i attached the diff now. regards, dan -- keywords: +patch Added file: http://bugs.python.org/file24541/urlparse.diff ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
Changes by zulla : Removed file: http://bugs.python.org/file24535/urlparse.py ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: Whops. I forgot an int() :-) Here's the right patch. -- Added file: http://bugs.python.org/file24540/testurllib.py ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: Hi. No, it's a patched version. It won't crash under circumstances like that [1] and won't succeed with invalid input: >>> import urlparse >>> urlparse.urlparse("http://www.google.com:foo";) ParseResult(scheme='http', netloc='www.google.com:foo', path='', params='', query='', fragment='') >>> urlparse.urlparse("http://www.google.com:foo";).port Traceback (most recent call last): File "", line 1, in File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 105, in port port = int(netloc.split(':')[1], 10) ValueError: invalid literal for int() with base 10: 'foo' >>> -- ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
zulla added the comment: The "port" and "netloc" component of a ParsedResult-object is not properly sanitized or validated. This may lead to bypass-able hostname-based filters. Remote Crash vulnerabilities be be also possible. -- ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue14036] urlparse insufficient port property validation
New submission from zulla : The "port" component of a URL is not properly be sanitized or validated. This may lead to the evasion of netloc/hostname based filters or exceptions. -- components: Library (Lib) files: testurllib.py messages: 153512 nosy: zulla priority: normal severity: normal status: open title: urlparse insufficient port property validation type: security versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file24535/testurllib.py ___ Python tracker <http://bugs.python.org/issue14036> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com