[issue44744] [security] Open redirect attack due to insufficient validation in Urlparse

Mon, 26 Jul 2021 07:58:58 -0700 


New submission from ready-research <readyresearch...@gmail.com>:

`urlparse` mishandles certain uses of extra slash or backslash(such as 
https:/// , https:/, https:\) and interprets the URI as a relative path. 

A userland logic implementation that bases its decision on the urlparse() 
function may introduce a security vulnerability due to the unexpected returned 
values of the function. These vulnerabilities may manifest as an SSRF, Open 
Redirect, and other types of vulnerabilities related to incorrectly trusting a 
URL.

```
from urllib.parse import urlparse
url1=urlparse('https://www.attacker.com/a/b')
url2=urlparse('https:///www.attacker.com/a/b')
url3=urlparse('https:/www.attacker.com/a/b')
url4=urlparse('https:\www.attacker.com/a/b')
print("Normal behaviour: HOSTNAME should be in netloc\n")
print(url1)
print("\nMishandling hostname and returning it as path\n")
print(url2)
print(url3)
print(url4)
```

OUTPUT:
```
Normal behaviour: HOSTNAME should be in netloc

ParseResult(scheme='https', netloc='www.attacker.com', path='/a/b', params='', 
query='', fragment='')

Mishandling hostname and returning it as path

ParseResult(scheme='https', netloc='', path='/www.attacker.com/a/b', params='', 
query='', fragment='')
ParseResult(scheme='https', netloc='', path='/www.attacker.com/a/b', params='', 
query='', fragment='')
ParseResult(scheme='https', netloc='', path='\\www.attacker.com/a/b', 
params='', query='', fragment='')
```

----------
components: Parser
messages: 398232
nosy: lys.nikolaou, pablogsal, ready-research
priority: normal
severity: normal
status: open
title: [security] Open redirect attack due to insufficient validation in 
Urlparse
versions: Python 3.10, Python 3.11, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue44744>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to