> On 5 Sep 2019, at 16:18, Random832 wrote:
Thanks for taking the time to reply.
>
> On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
>> The conclusion I reached is that the CVE only applies to client code
>> that allows a URL in unicode to be entered.
>>
>> Have I missed something import
On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
> The conclusion I reached is that the CVE only applies to client code
> that allows a URL in unicode to be entered.
>
> Have I missed something important in the analysis?
While as I mentioned in my other post I'm not sure if the CVE's analysis o
On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
> I have been looking into CVE-2019-9636 and I'm not sure that
> python code that works in bytes is vulnerable to this.
I'm not convinced that the CVE (or, at least, the description in the bug
report... it's also unclear to me whether this is an a
I have been looking into CVE-2019-9636 and I'm not sure that
python code that works in bytes is vulnerable to this.
The "trick" that to make the CVE dangerous assumes that you
have a unicode string with \uff03 (FULLWIDTH NUMBER SIGN')
that under NFKC turns into '#'.
The discussion in https://bugs