New submission from Dashmeet Kaur Ajmani <dashmeetajm...@gmail.com>:
A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. Example URL: "http://google.com:80\\@yahoo.com/#what\\is going on" Expected behaviour (as returned by NPM urijs): { "scheme": "http", "user": "", "password": "", "host": "google.com", "port": "", "path": "@yahoo.com/", "query": "", "fragment": "what\\is going on" } Actual behaviour: { "scheme": "http", "user": "google.com", "password": "80\\", "host": "yahoo.com", "port": "", "path": "/", "query": "", "fragment": "what\\is going on" } Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291 ---------- components: Library (Lib) messages: 412118 nosy: meetdash priority: normal severity: normal status: open title: Hostname spoofing via backslashes in URL type: security versions: Python 3.11 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue46577> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com