oss-sec mailing list archives
Re: Re: unassigning CVE-2015-2104
From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 06 Mar 2015 14:09:55 +1300
On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:
We think that the issue reduces to the question of whether it's acceptable for urlparse to provide inconsistent information about the structure of a URL. https://docs.python.org/2/library/urlparse.html says: urlparse.urlparse(urlstring[, scheme[, allow_fragments]]) Parse a URL into six components, returning a 6-tuple. This corresponds to the general structure of a URL: scheme://netloc/path;parameters?query#fragment.
My 2c ... no it does not. There are 7 parts in a URL. What is called "netloc" in that description is actually two fields: [userinfo '@'] authority The userinfo field is very much alive and well in non-HTTP schemes. Ignoring the userinfo field leaves implementations open to attacks of the form: scheme://example.com () phishing com/path AYJ
Current thread:
- unassigning CVE-2015-2104 Paul McMillan (Mar 04)
- Re: unassigning CVE-2015-2104 Kurt Seifried (Mar 04)
- Re: unassigning CVE-2015-2104 cve-assign (Mar 05)
- Re: Re: unassigning CVE-2015-2104 Amos Jeffries (Mar 05)