Date: Fri, 06 Mar 2015 14:09:55 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Re: unassigning CVE-2015-2104 On 6/03/2015 10:42 a.m., cve-assign@...re.org wrote: > We think that the issue reduces to the question of whether it's > acceptable for urlparse to provide inconsistent information about the > structure of a URL. > > https://docs.python.org/2/library/urlparse.html says: > > urlparse.urlparse(urlstring[, scheme[, allow_fragments]]) > Parse a URL into six components, returning a 6-tuple. This > corresponds to the general structure of a URL: > scheme://netloc/path;parameters?query#fragment. My 2c ... no it does not. There are 7 parts in a URL. What is called "netloc" in that description is actually two fields: [userinfo '@'] authority The userinfo field is very much alive and well in non-HTTP schemes. Ignoring the userinfo field leaves implementations open to attacks of the form: scheme://example.com@...shing.com/path AYJ
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ