[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: Any updates concerning this issue ? is it going to be fixed or at least modify the documentation in order to warn developers about this behaviour ? -- ___ Python tracker <http://bugs.python.org/issue23

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: From: Amos Jeffries Date: Fri, 06 Mar 2015 14:09:55 +1300 On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote: We think that the issue reduces to the question of whether it's acceptable for urlparse to provide inconsistent information abou

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: From: cve-assign () mitre org Date: Thu, 5 Mar 2015 16:42:02 -0500 (EST) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We think that the issue reduces to the question of whether it's acceptable for urlparse to provide inconsistent information abou

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: "Following the syntax specifications in RFC 1808, urlparse recognizes a netloc only if it is properly introduced by ‘//’. Otherwise the input is presumed to be a relative URL and thus to start with a path component." https://docs.python.org

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: I am not quiet sure about the first proposal but I strongly believe the appropriate method to fix this is by checking if the path starts with double slashes and then URL encoding the two leading slashes

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: When you directly type //evil.com or evil.com in Firefox URL bar you will be redirect to evil.com and that is very known, read this : http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html Here is a video demonstration of the

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: Yes, exploiting this bug an attacker may redirect a specific vitim to a malicious website, in our case evil.com >>> x = urlparse("evil.com") ///evil.com will be parsed as relative-path URL which is the correct expected beh

[issue23505] Urlparse insufficient validation leads to open redirect

Yassine ABOUKIR added the comment: For your information, this security issue has been assigned a CVE ID : CVE-2015-2104 -- ___ Python tracker <http://bugs.python.org/issue23

[issue23505] Urlparse insufficient validation leads to open redirect

Changes by Yassine ABOUKIR : -- nosy: +benjamin.peterson, pitrou, python-dev ___ Python tracker <http://bugs.python.org/issue23505> ___ ___ Python-bugs-list mailin

[issue23505] Urlparse insufficient validation leads to open redirect

New submission from Yassine ABOUKIR: The module urlparse lacks proper validation of the input leading to open redirect vulnerability. The issue is that URLs do not survive the round-trip through `urlunparse(urlparse(url))`. Python sees `/foo.com` as a URL with no hostname or scheme and