Message237412
| Author |
yaaboukir |
| Recipients |
PaulMcMillan, benjamin.peterson, martin.panter, orsenthil, pitrou, python-dev, soilandreyes, vstinner, yaaboukir |
| Date |
2015年03月07日.02:55:10 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1425696910.76.0.0796022266632.issue23505@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
From: Amos Jeffries <squid3 () treenet co nz>
Date: 2015年3月06日 14:09:55 +1300
On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:
We think that the issue reduces to the question of whether it's
acceptable for urlparse to provide inconsistent information about the
structure of a URL.
https://docs.python.org/2/library/urlparse.html says:
urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
Parse a URL into six components, returning a 6-tuple. This
corresponds to the general structure of a URL:
scheme://netloc/path;parameters?query#fragment.
My 2c ... no it does not.
There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority
The userinfo field is very much alive and well in non-HTTP schemes.
Ignoring the userinfo field leaves implementations open to attacks of
the form:
scheme://example.com () phishing com/path
AYJ |
|