[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Ilya Konstantinov added the comment: >From RFC-1738: hostname = *[ domainlabel "." ] toplabel domainlabel= alphadigit | alphadigit *[ alphadigit | "-" ] alphadigit toplabel = alpha | alpha *[ alphadigit | "-" ] alphadigit alphadigit = alpha | digit However: py>

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Steven D'Aprano added the comment: > The “urllib.parse” module generally follows RFC 3986, which does not > allow a literal backslash in the “userinfo” part: And yet the parse() function seems to allow arbitrary unescaped characters. This is from 3.8.0a0: py> from urllib.parse import

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Martin Panter added the comment: The “urllib.parse” module generally follows RFC 3986, which does not allow a literal backslash in the “userinfo” part: userinfo = *( unreserved / pct-encoded / sub-delims / ":" ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" pct-encoded = "%" HEXDIG

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Steven D'Aprano added the comment: I believe that Python's behaviour here is correct. You are supplying a netloc which includes a username "www.google.com\" with no password. That might be what you intend to do, or it might be malicious data. That depends on context, and the urlparse module

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Karthikeyan Singaravelan added the comment: There are also some notes at https://tools.ietf.org/html/rfc3986#section-7.6 Because the userinfo subcomponent is rarely used and appears before the host in the authority component, it can be used to construct a URI intended to mislead a human user

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Karthikeyan Singaravelan added the comment: I just tested other implementations in Ruby and Go and they too return host as "evil.com" for "http://www.google@evil.com; along with the user info component. $ ruby -e 'require "uri"; puts URI("http://www.google@evil.com;).hostname'

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Christian Heimes added the comment: You cannot compare a low level library like Python's urllib module with a user interface like a modern browser. Browsers do a lot of extra work to make sense of user input. For example Firefox and Chrome mangle your example URL and replace \ with /.

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Neeraj Sonaniya added the comment: Hi, I know that \ (backslash) should be encoded to url encoding (%5c) but if the same url (without urlencoded form) typed into URL bar of browser we are getting hostname to 'https://www.google.com' -- ___

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Martin Panter added the comment: FWIW I understand the backslash should be percent-encoded in URLs, otherwise the URL is not valid. This reminds me of a few other bugs: * Issue 30500: Made the behaviour of fragment (#. . .) versus userinfo (. . .@) consistent, e.g. in

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

Change by Karthikeyan Singaravelan : -- nosy: +martin.panter ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35748] urlparse library detecting wrong hostname leads to open redirect vulnerability

New submission from Neeraj Sonaniya : Summary: It have been identified that `urlparse` under `urllib.parse` module is detecting wrong hostname which could leads to a security issue known as Open redirect vulnerability. Steps to reproduce the issue: Following code will help you in