Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hostname spoofing via backslashes in URL #90735

Open
meetdash mannequin opened this issue Jan 30, 2022 · 2 comments
Open

Hostname spoofing via backslashes in URL #90735

meetdash mannequin opened this issue Jan 30, 2022 · 2 comments
Labels
3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue

Comments

@meetdash
Copy link
Mannequin

meetdash mannequin commented Jan 30, 2022

BPO 46577
Nosy @tirkarthi, @meetdash

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2022-01-30.00:29:31.208>
labels = ['type-security', 'library', '3.11']
title = 'Hostname spoofing via backslashes in URL'
updated_at = <Date 2022-01-30.04:43:25.967>
user = 'https://github.com/meetdash'

bugs.python.org fields:

activity = <Date 2022-01-30.04:43:25.967>
actor = 'xtreak'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2022-01-30.00:29:31.208>
creator = 'meetdash'
dependencies = []
files = []
hgrepos = []
issue_num = 46577
keywords = []
message_count = 2.0
messages = ['412118', '412124']
nosy_count = 2.0
nosy_names = ['xtreak', 'meetdash']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46577'
versions = ['Python 3.11']
@meetdash
Copy link
Mannequin Author

meetdash mannequin commented Jan 30, 2022

A URL's hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.

Impact: Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Example URL: "http://google.com:80\\\\@yahoo.com/#what\\\\is going on"

Expected behaviour (as returned by NPM urijs):
{
"scheme": "http",
"user": "",
"password": "",
"host": "google.com",
"port": "",
"path": "@yahoo.com/",
"query": "",
"fragment": "what\\is going on"
}

Actual behaviour:
{
"scheme": "http",
"user": "google.com",
"password": "80\\",
"host": "yahoo.com",
"port": "",
"path": "/",
"query": "",
"fragment": "what\\is going on"
}

Expected version is the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291

@meetdash meetdash mannequin added 3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue labels Jan 30, 2022
@tirkarthi
Copy link
Member

This seems to be similar to https://bugs.python.org/issue35748

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.11 only security fixes stdlib Python modules in the Lib dir type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tirkarthi