[Python-bugs-list] [Bug #128764] urllib.splithost() chokes on password containing '/'

noreply@sourceforge.net noreply@sourceforge.net
Sun, 14 Jan 2001 14:57:16 -0800


Bug #128764, was updated on 2001-Jan-14 14:03
Here is a current snapshot of the bug.

Project: Python
Category: Python Library
Status: Closed
Resolution: Invalid
Bug Group: Not a Bug
Priority: 5
Submitted by: dougfort
Assigned to : gvanrossum
Summary: urllib.splithost() chokes on password containing '/'

Details: urllib.splithost() uses a regular expression to split url
hostnames of the form 'http://userid:password@host...' 

The regex stops at the first '/'.  If the password contains a '/' the
results are invalid.

I'm submitting this as a bug, rather than a diff, because I'm afraid to
mess with the regex.  If I come up with something, I'll send in a diff. 

Follow-Ups:

Date: 2001-Jan-14 14:56
By: gvanrossum

Comment:
This is not a bug -- if you allow arbitrary characters in the password, the
URL could become totally ambiguous.  E.g. what if the password started with
"80/"?  How can a browser know what is meant if the URL is
"http://user:80/garbage@host" ???

According to RFC 1738: ``Within the user and password field, any ":", "@",
or "/" must be encoded.''

The splituser() function correctly calls unquote() to remove the %xx
encoding from the username and password.

-------------------------------------------------------

For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=128764&group_id=5470