[issue14036] urlparse insufficient port property validation

Martin Panter added the comment: See Issue 20059 proposing to change this to raise ValueError -- nosy: +vadmium ___ Python tracker ___ ___

[issue14036] urlparse insufficient port property validation

Senthil Kumaran added the comment: This is taken care. I was not really convinced on the need as likely seemed a non issue from "urlparse" standpoint, But still there is no harm in returning valid port as semantically the attribute stands for a port. Thanks! -- assignee: -> orsenthi

[issue14036] urlparse insufficient port property validation

Roundup Robot added the comment: New changeset 988903cf24c5 by Senthil Kumaran in branch '2.7': Issue #14036: return None when port in urlparse cross 65535 http://hg.python.org/cpython/rev/988903cf24c5 New changeset d769e64aed79 by Senthil Kumaran in branch '3.2': Issue #14036: return None when

[issue14036] urlparse insufficient port property validation

Ezio Melotti added the comment: > Ezio, I noticed that you changed from pending to open. That was an accident, I just meant to add my self to the nosy. I didn't have time yet to read all the messages and comment on the issue. -- ___ Python tracker

[issue14036] urlparse insufficient port property validation

Senthil Kumaran added the comment: pass_to_cython(urlparse("http://google.de:99**99[to be calculated]").port) is no different than sending pass_to_cython(99**99[to be calculated]) In that case, would the former make a security loop hole in urlparse? Looks pretty contrived to

[issue14036] urlparse insufficient port property validation

zulla added the comment: we should at least check if the .port attribute is an intereger >= 1 and <= 65535. _because_ this is the only valid port range. otherwise, it is no valid port. but it may be a integer overflow attack attempt when a developer uses .port, he is counting on the result be

[issue14036] urlparse insufficient port property validation

zulla added the comment: Your comment is completely senseless, sorry. Of course such high port numbers do not exist. An attacker is counting on that. Imagine something like that pass_to_cython(urlparse("http://google.de:99**99[to be calculated]").port) -- ___

[issue14036] urlparse insufficient port property validation

Senthil Kumaran added the comment: I am not sure if anything should be done to this request. Saying that int("99",10) is converting to 99L in Python2.7 it is a bug/security issue is hypothetical. Practically, such high port numbers cannot exist.

[issue14036] urlparse insufficient port property validation

Changes by Ezio Melotti : -- nosy: +ezio.melotti status: pending -> open ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue14036] urlparse insufficient port property validation

Senthil Kumaran added the comment: Couple of points: 1. On your last example, which webserver treats 'L' as part of port number? I can't of anything. 2. Can you write a "real application" which is listening to beyond 65535? Which platform would it be? Current way of handling invalid port li

[issue14036] urlparse insufficient port property validation

zulla added the comment: >>> u("http://www.google.com:99";).port 99L -- ___ Python tracker ___ __

[issue14036] urlparse insufficient port property validation

Nick Coghlan added the comment: Could you provide some failing examples? The suggestion also seems to run slightly at odds with itself - in one part, silently replacing an invalid port specification with a different value, in another adding additional validation checks. Also, rather than har

[issue14036] urlparse insufficient port property validation

zulla added the comment: I understand your point of view, but I disagree. Various libraries and projects rely on urlparse.urlparse and urllib.parse.urlparse. This bug just blew up in my face. I'm working with Cython and PyQt4. When a developer relies on ParseResult().netloc being a valid net

[issue14036] urlparse insufficient port property validation

R. David Murray added the comment: It's not a patch if it is the whole file. A diff would be much more useful, since then we could see the changes easily. This kind of change would require a bit of discussion. I'm doubtful that it would be applied as a bug fix, and we might even want the va

[issue14036] urlparse insufficient port property validation

Changes by zulla : Removed file: http://bugs.python.org/file24535/urlparse.py ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubsc

[issue14036] urlparse insufficient port property validation

zulla added the comment: Whops. I forgot an int() :-) Here's the right patch. -- Added file: http://bugs.python.org/file24540/testurllib.py ___ Python tracker ___ _

[issue14036] urlparse insufficient port property validation

zulla added the comment: Hi. No, it's a patched version. It won't crash under circumstances like that [1] and won't succeed with invalid input: >>> import urlparse >>> urlparse.urlparse("http://www.google.com:foo";) ParseResult(scheme='http', netloc='www.google.com:foo', path='', params='',

[issue14036] urlparse insufficient port property validation

R. David Murray added the comment: Did you upload urlparse.py to the issue by accident? Can you please provide some examples of where you think the current code is producing incorrect results? -- nosy: +r.david.murray ___ Python tracker

[issue14036] urlparse insufficient port property validation

zulla added the comment: The "port" and "netloc" component of a ParsedResult-object is not properly sanitized or validated. This may lead to bypass-able hostname-based filters. Remote Crash vulnerabilities be be also possible. -- ___ Python tracker

[issue14036] urlparse insufficient port property validation

New submission from zulla : The "port" component of a URL is not properly be sanitized or validated. This may lead to the evasion of netloc/hostname based filters or exceptions. -- components: Library (Lib) files: testurllib.py messages: 153512 nosy: zulla priority: normal severity: nor