Re: Re: unassigning CVE-2015-2104

[Amos Jeffries <squid3 () treenet co nz>]

On 6/03/2015 10:42 a.m., cve-assign () mitre org wrote:
> We think that the issue reduces to the question of whether it's
> acceptable for urlparse to provide inconsistent information about the
> structure of a URL.
>
> https://docs.python.org/2/library/urlparse.html says:
>
>    urlparse.urlparse(urlstring[, scheme[, allow_fragments]])
>    Parse a URL into six components, returning a 6-tuple. This
>    corresponds to the general structure of a URL:
>    scheme://netloc/path;parameters?query#fragment.

My 2c ... no it does not.

There are 7 parts in a URL. What is called "netloc" in that description
is actually two fields: [userinfo '@'] authority

The userinfo field is very much alive and well in non-HTTP schemes.


Ignoring the userinfo field leaves implementations open to attacks of
the form:
   scheme://example.com () phishing com/path

AYJ