Vulnerability: urlsplit does not handle NFKC normalization
We recently disclosed and patched a potential vulnerability in Python applications that use urlsplit() or urlparse() on user-provide URLs.
You may be impacted if a user can provide a Unicode URL to your application that is later converted to IDNA (Punycode) or ASCII. This conversion will decompose certain Unicode characters that can affect the netloc part of your URL, potentially resulting in requests being sent to an unexpected host.
All versions of Python are affected. Patches have been applied for the next releases of 2.7, 3.7 and 3.8, and are under review for 3.4, 3.5 and 3.6.
Full details, links to the patches, and workarounds for applications are available at: * https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
A CVE number has been requested but is not yet available.
The issue was discovered by Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou, and reported to the Python Security Response Team <security@python.org>.
This issue is now assigned CVE-2019-9636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636
On 07Mar2019 1052, Steve Dower wrote:
We recently disclosed and patched a potential vulnerability in Python applications that use urlsplit() or urlparse() on user-provide URLs.
You may be impacted if a user can provide a Unicode URL to your application that is later converted to IDNA (Punycode) or ASCII. This conversion will decompose certain Unicode characters that can affect the netloc part of your URL, potentially resulting in requests being sent to an unexpected host.
All versions of Python are affected. Patches have been applied for the next releases of 2.7, 3.7 and 3.8, and are under review for 3.4, 3.5 and 3.6.
Full details, links to the patches, and workarounds for applications are available at: * https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
A CVE number has been requested but is not yet available.
The issue was discovered by Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou, and reported to the Python Security Response Team <security@python.org>.
participants (1)
-
Steve Dower