On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote: > The conclusion I reached is that the CVE only applies to client code > that allows a URL in unicode to be entered. > > Have I missed something important in the analysis?
While as I mentioned in my other post I'm not sure if the CVE's analysis of URL behavior is correct generally, you have missed the fact that an HTML page can provide URLs in unicode, either with the page itself encoded in UTF-8, or with whatever characters escaped as XML character references... not only as bytes in IDNA or percent-escaped hex. The same principle applies to other formats in which URLs might be interchanged as encoded unicode strings, such as JSON. The fact that accessing such a URL requires converting the non-ASCII parts to IDNA (for the domain part) or percent-escaped hex (for other parts) doesn't limit this to user input. <a href="https://example.com#@bing.com";>like this</a> -- https://mail.python.org/mailman/listinfo/python-list
