Hanno Zulla added the comment:
Can we please get pgettext for Python?
--
nosy: +Hanno.Zulla
___
Python tracker
<http://bugs.python.org/issue2504>
___
___
Pytho
zulla added the comment:
we should at least check if the .port attribute is an intereger >= 1 and <=
65535. _because_ this is the only valid port range. otherwise, it is no valid
port. but it may be a integer overflow attack attempt
when a developer uses .port, he is counting on the
zulla added the comment:
Your comment is completely senseless, sorry.
Of course such high port numbers do not exist.
An attacker is counting on that. Imagine something like that
pass_to_cython(urlparse("http://google.de:99**99[to be
calculated]&q
zulla added the comment:
>>> u("http://www.google.com:99";).port
99L
--
___
Python tracker
<http://bugs
zulla added the comment:
I understand your point of view, but I disagree.
Various libraries and projects rely on urlparse.urlparse and
urllib.parse.urlparse.
This bug just blew up in my face. I'm working with Cython and PyQt4.
When a developer relies on ParseResult().netloc being a
Changes by zulla :
Removed file: http://bugs.python.org/file24535/urlparse.py
___
Python tracker
<http://bugs.python.org/issue14036>
___
___
Python-bugs-list mailin
zulla added the comment:
Whops. I forgot an int() :-)
Here's the right patch.
--
Added file: http://bugs.python.org/file24540/testurllib.py
___
Python tracker
<http://bugs.python.org/is
zulla added the comment:
Hi. No, it's a patched version. It won't crash under circumstances like that
[1] and won't succeed with invalid input:
>>> import urlparse
>>> urlparse.urlparse("http://www.google.com:foo";)
ParseResult(scheme='htt
zulla added the comment:
The "port" and "netloc" component of a ParsedResult-object is not properly
sanitized or validated. This may lead to bypass-able hostname-based filters.
Remote Crash vulnerabilities be be also possible.
--
__
New submission from zulla :
The "port" component of a URL is not properly be sanitized or validated. This
may lead to the evasion of netloc/hostname based filters or exceptions.
--
components: Library (Lib)
files: testurllib.py
messages: 153512
nosy: zulla
priority: norma
10 matches
Mail list logo