Security-announce

Download

security-announce@python.org

March 2019

1 participants
1 discussions

Vulnerability: urlsplit does not handle NFKC normalization
by Steve Dower March 8, 2019

March 8, 2019

We recently disclosed and patched a potential vulnerability in Python applications that use urlsplit() or urlparse() on user-provide URLs. You may be impacted if a user can provide a Unicode URL to your application that is later converted to IDNA (Punycode) or ASCII. This conversion will decompose certain Unicode characters that can affect the netloc part of your URL, potentially resulting in requests being sent to an unexpected host. All versions of Python are affected. Patches have been applied for the next releases of 2.7, 3.7 and 3.8, and are under review for 3.4, 3.5 and 3.6. Full details, links to the patches, and workarounds for applications are available at: * https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html * https://bugs.python.org/issue36216 A CVE number has been requested but is not yet available. The issue was discovered by Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou, and reported to the Python Security Response Team <security(a)python.org>.

1 1