Karthikeyan Singaravelan <tir.kar...@gmail.com> added the comment:
I just tested other implementations in Ruby and Go and they too return host as "evil.com" for "http://www.google....@evil.com"; along with the user info component. $ ruby -e 'require "uri"; puts URI("http://www.google....@evil.com";).hostname' evil.com $ cat /tmp/foo.go package main import ( "fmt" "net/url" ) func main() { u, _ := url.Parse(`http://www.google....@evil.com`) fmt.Println(u.Host); fmt.Println(u.User); } $ go run /tmp/foo.go evil.com www.google.com ---------- nosy: +xtreak _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35748> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
