Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 06 Mar 2015 14:09:55 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: unassigning CVE-2015-2104

On 6/03/2015 10:42 a.m., cve-assign@...re.org wrote:
> We think that the issue reduces to the question of whether it's
> acceptable for urlparse to provide inconsistent information about the
> structure of a URL.
> 
> https://docs.python.org/2/library/urlparse.html says:
> 
>    urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
>    Parse a URL into six components, returning a 6-tuple. This
>    corresponds to the general structure of a URL:
>    scheme://netloc/path;parameters?query#fragment.

My 2c ... no it does not.

There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority

The userinfo field is very much alive and well in non-HTTP schemes.


Ignoring the userinfo field leaves implementations open to attacks of
the form:
   scheme://example.com@...shing.com/path

AYJ

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ