Change by Sihoon Lee :
--
pull_requests: +13545
pull_request: https://github.com/python/cpython/pull/12524
___
Python tracker
<https://bugs.python.org/issue30
Sihoon Lee added the comment:
If developers allow only http:// or https:// as whitelist, it has no problem.
But, If someone blocks only one file://, attacker can bypass it.
This issue may provides attacker with bypassing method as new scheme
Change by Sihoon Lee :
--
pull_requests: -12476
___
Python tracker
<https://bugs.python.org/issue35906>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Sihoon Lee :
--
pull_requests: +12476
___
Python tracker
<https://bugs.python.org/issue35906>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Sihoon Lee :
--
pull_requests: +12475
___
Python tracker
<https://bugs.python.org/issue35906>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Sihoon Lee :
--
pull_requests: -12474
___
Python tracker
<https://bugs.python.org/issue35906>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Sihoon Lee :
--
pull_requests: +12474
___
Python tracker
<https://bugs.python.org/issue35906>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Sihoon Lee :
--
keywords: +patch
pull_requests: +11872
stage: needs patch -> patch review
___
Python tracker
<https://bugs.python.org/issu
Sihoon Lee added the comment:
Yes, I thought so. before the commit version i said, the previous
version(~3.4.6), raised an exception(no host given~) in urlopen failing parsing
host.
If this patch wants to be same as the previous version, It is right to raise an
exception like the previous
Sihoon Lee added the comment:
Sorry, I'm late.
My review is here. https://github.com/python/cpython/pull/11768
--
___
Python tracker
<https://bugs.python.org/is
Sihoon Lee added the comment:
I am not also native English speaker. It's OK. Thank you for reading my report
--
___
Python tracker
<https://bugs.python.org/is
Sihoon Lee added the comment:
and only urllib, not urllib2.
--
___
Python tracker
<https://bugs.python.org/issue35907>
___
___
Python-bugs-list mailin
Sihoon Lee added the comment:
Sorry for my bad English.
Yes, exactly. Only python 2.7 has been affected. not python3.
So I chose only Python2.7 version.
--
___
Python tracker
<https://bugs.python.org/issue35
Sihoon Lee added the comment:
When I had tested it before, It was not worked.
Was it really worked?
Could you show me your PoC Code?
--
nosy: +push0ebp -lars.gustaebel
___
Python tracker
<https://bugs.python.org/issue35
New submission from Sihoon Lee :
The Unnecessary scheme exists in urlopen() urllib
when people would protect to read file system in HTTP request of urlopen(),
they often filter like this against SSRF.
# Vulnerability PoC
import urllib
print urllib.urlopen('local_file:///etc/passwd&#
New submission from Sihoon Lee :
this patch can also be broken by path and query string.
http://www.cvedetails.com/cve/CVE-2016-5699/
https://bugs.python.org/issue30458
can succeed to inject HTTP header and be more critical by bypassing illegal
header check
# Vulnerability PoC
>>&g
16 matches
Mail list logo
