Matej Cepl <mc...@cepl.eu> added the comment:
I am trying to investigate the impact of this bug on Python 2.6 (yes, it is for SLE), and I have hard to replicate the steps in the description even on 2.7: ~$ ipython2 Python 2.7.15 (default, May 21 2018, 17:53:03) [GCC] Type "copyright", "credits" or "license" for more information. IPython 5.8.0 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [1]: from urlparse import urlsplit In [2]: u = "https://example.com\uf...@bing.com".encode("idna").decode("ascii") In [3]: u Out[3]: u'https://example.com\\uf...@bing.com' In [4]: urlsplit(u).netloc.rpartition('@')[2] Out[4]: u'bing.com' In [5]: u = "https://example.com\uf...@bing.com"; In [6]: urlsplit(u).netloc.rpartition('@')[2] Out[6]: 'bing.com' In [7]: u = u.encode("idna").decode("ascii") In [8]: urlsplit(u).netloc.rpartition('@')[2] Out[8]: u'bing.com' In [9]: import unicodedata In [10]: u2 = unicodedata.normalize('NFKC', u) In [11]: u2 Out[11]: u'https://example.com\\uf...@bing.com' In [12]: urlsplit(u2) Out[12]: SplitResult(scheme=u'https', netloc=u'example.com\\uf...@bing.com', path=u'', query='', fragment='') In [13]: Yes, the results are weird, and most likely they would break any software relying on them, but I am not sure that it is a security issue. vstinner ? steve.dower ? What do you think? ---------- nosy: +mcepl _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36216> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
