Message 236470 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	yaaboukir
Recipients	yaaboukir
Date	2015年02月24日.00:11:53
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1424736713.95.0.74935935546.issue23505@psf.upfronthosting.co.za>

Content
The module urlparse lacks proper validation of the input leading to open redirect vulnerability. The issue is that URLs do not survive the round-trip through `urlunparse(urlparse(url))`. Python sees `/////foo.com` as a URL with no hostname or scheme and a path of `//foo.com`, but when it reconstructs the URL after parsing, it becomes `//foo.com`. This can be practically exploited this way : http://example.com/login?next=/////evil.com The for fix this would be for `urlunparse()` to serialize paths with two leading slashes as '/%2F', at least when `scheme` and `netloc` are empty.

Content

The module urlparse lacks proper validation of the input leading to open redirect vulnerability.
The issue is that URLs do not survive the round-trip through `urlunparse(urlparse(url))`. Python sees `/////foo.com` as a URL with no hostname or scheme and a path of `//foo.com`, but when it reconstructs the URL after parsing, it becomes `//foo.com`.
This can be practically exploited this way : http://example.com/login?next=/////evil.com
The for fix this would be for `urlunparse()` to serialize paths with two leading slashes as '/%2F', at least when `scheme` and `netloc` are empty.

History
Date	User	Action	Args
2015年02月24日 00:11:53	yaaboukir	set	recipients: + yaaboukir
2015年02月24日 00:11:53	yaaboukir	set	messageid: <1424736713.95.0.74935935546.issue23505@psf.upfronthosting.co.za>
2015年02月24日 00:11:53	yaaboukir	link	issue23505 messages
2015年02月24日 00:11:53	yaaboukir	create

homepage