New submission from Dashmeet Kaur Ajmani <dashmeetajm...@gmail.com>:
A URL's hostname can be spoofed by using a backslash (\) character followed by 
an at (@) character. If the hostname is used in security decisions, the 
decision may be incorrect.

Impact: Depending on library usage and attacker intent, impacts may include 
allow/block list bypasses, SSRF attacks, open redirects, or other undesired 
behavior.

Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on"

Expected behaviour (as returned by NPM urijs):
{
 "scheme": "http",
 "user": "",
 "password": "",
 "host": "google.com",
 "port": "",
 "path": "@yahoo.com/",
 "query": "",
 "fragment": "what\\is going on"
}

Actual behaviour:
{
 "scheme": "http",
 "user": "google.com",
 "password": "80\\",
 "host": "yahoo.com",
 "port": "",
 "path": "/",
 "query": "",
 "fragment": "what\\is going on"
}

Expected version is the behavior of other parsers which implement the WHATWG 
URL specification, including web browsers and Node's built-in URL class.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291

----------
components: Library (Lib)
messages: 412118
nosy: meetdash
priority: normal
severity: normal
status: open
title: Hostname spoofing via backslashes in URL
type: security
versions: Python 3.11

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue46577>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to