New submission from Neeraj Sonaniya :
Summary:
It have been identified that `urlparse` under `urllib.parse` module is
detecting wrong hostname which could leads to a security issue known as Open
redirect vulnerability.
Steps to reproduce the issue:
Following code will help you in reproducing the issue:
```
from urllib.parse import urlparse
x= 'http://www.google.com\@xxx.com'
y = urlparse(x)
print(y.hostname)
```
Output:
xxx.com
The hostname from above URL which is actually rendered by browser is :
'https://www.google.com'.
In following browsers tested: (hostname detected as: https://www.google.com)
```
1. Chromium - Version 72.0.3626.7 - Developer Build
2. Firefox - 60.4.0esr (64-bit)
3. Internet Explorer - 11.0.9600.17843
4. Safari - Version 12.0.2 (14606.3.4)
```
--
components: Library (Lib)
files: Screenshot from 2019-01-16 12-47-22.png
messages: 333750
nosy: nsonaniya2010, orsenthil
priority: normal
severity: normal
status: open
title: urlparse library detecting wrong hostname leads to open redirect
vulnerability
type: security
versions: Python 3.6, Python 3.7, Python 3.8
Added file: https://bugs.python.org/file48058/Screenshot from 2019-01-16
12-47-22.png
___
Python tracker
<https://bugs.python.org/issue35748>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
