[issue44744] [security] Open redirect attack due to insufficient validation in Urlparse
ready-research
report at bugs.python.org
Mon Jul 26 22:52:17 EDT 2021
ready-research <readyresearchsec at gmail.com> added the comment:
Node.js is recommending using WHATWG URL API. Which handles all these correctly. We can test the same using https://jsdom.github.io/whatwg-url/
For example test the below and will return the same(correct) for all.
https:///www.attacker.com/a/b
https:/www.attacker.com/a/b
https:\www.attacker.com/a/b
https:/\/\/\www.attacker.com/a/b
https:/\www.attacker.com/a/b
```
href https://www.attacker.com/a/b
protocol https:
username (empty string)
password (empty string)
port (empty string)
hostname www.attacker.com
pathname /a/b
search (empty string)
hash (empty string)
```
SUMMARY:
python urlparse() function should also handle all the above in the same way.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue44744>
_______________________________________
More information about the Python-bugs-list
mailing list