Message 237090 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	vstinner
Recipients	benjamin.peterson, martin.panter, orsenthil, pitrou, python-dev, soilandreyes, vstinner, yaaboukir
Date	2015年03月02日.23:54:15
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1425340455.72.0.458086049055.issue23505@psf.upfronthosting.co.za>

Content
> This can be practically exploited this way : http://example.com/login?next=/////evil.com Can you please elaborate on the "exploit" part? In Firefox, the "////etc/passwd" link shows me my local file /etc/passwd. Ok, but how is it an issue? "//etc/passwd" also shows me file:////etc/passwd. The OWASP article on Open Redirect shows example to redirect to a different website. Can you should an example how redirect to a website and not a file:// URL? https://www.owasp.org/index.php/Open_redirect

Content

> This can be practically exploited this way : http://example.com/login?next=/////evil.com
Can you please elaborate on the "exploit" part? 
In Firefox, the "////etc/passwd" link shows me my local file /etc/passwd. Ok, but how is it an issue?
"//etc/passwd" also shows me file:////etc/passwd.
The OWASP article on Open Redirect shows example to redirect to a different website. Can you should an example how redirect to a website and not a file:// URL?
https://www.owasp.org/index.php/Open_redirect

History
Date	User	Action	Args
2015年03月02日 23:54:15	vstinner	set	recipients: + vstinner, orsenthil, pitrou, benjamin.peterson, python-dev, martin.panter, soilandreyes, yaaboukir
2015年03月02日 23:54:15	vstinner	set	messageid: <1425340455.72.0.458086049055.issue23505@psf.upfronthosting.co.za>
2015年03月02日 23:54:15	vstinner	link	issue23505 messages
2015年03月02日 23:54:15	vstinner	create

homepage