[ python-Bugs-1546628 ] urlparse.urljoin odd behaviour

[SourceForge.net]

Bugs item #1546628, was opened at 2006-08-25 10:04
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1546628&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Andres Riancho (andresriancho)
Assigned to: Nobody/Anonymous (nobody)
Summary: urlparse.urljoin odd behaviour

Initial Comment:
Hi !

   I think i have found a bug on the urljoin function
of the urlparse
module. I'm using Python 2.4.3 (#2, Apr 27 2006,
14:43:58), [GCC 4.0.3
(Ubuntu 4.0.3-1ubuntu5)] on linux2 . Here is a demo of
the bug :

>>> import urlparse
>>>urlparse.urljoin('http://www.f00.com/','//a')
'http://a'
>>>
urlparse.urljoin('http://www.f00.com/','https://0000/somethingIsWrong')
'https://0000/somethingIsWrong'
>>>
urlparse.urljoin('http://www.f00.com/','https://0000/somethingIsWrong')
'https://0000/somethingIsWrong'
>>>
urlparse.urljoin('http://www.f00.com/','file:///etc/passwd')
'file:///etc/passwd'


   The result for the first call to urljoin should be
either
'http://www.f00.com/a' or 'http://www.f00.com//a'. The
result to the
second and third call to urljoin should be
'http://www.f00.com/', or maybe an
exception ?

   Please correct me if i'm wrong and this is some kind
of feature or
the bug was already reported. This bug can result in a
security vuln,
take this code as an example:

// viewImage.py //
import htmlTools                                      
    # Some fake
module, just for the example
import urlparse                                       
     # module
with bug.

htmlTools.startHtml()                                 
  # print <html>
params = htmlTools.getParams()                # get the
query string
parameters
htmlTools.printToHtml( '<img src=' + urlparse.urljoin(
'http://myWebsite/' , params['image'] ) + '>' )
htmlTools.endHtml()                                   
 # print </html>
// viewImage.py //

   The code should generate an html that shows an image
from the site
http://myWebsite/, but with the urljoin bug, the image
source can be
manipulated and result in a completely different html.

Cheers,

Andres Riancho

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1546628&group_id=5470
_______________________________________________
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com