.. _urllib-connects-wrong-host:

bpo-30500: urllib connects to a wrong host
==========================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

The urllib module doesn't parse correctly password containing the ``#``
character.

Dates:

* Disclosure date: **2017-05-29** (Python issue bpo-30500 reported)
* Reported at: 2017-03-04 (Orange Tsai on the PSRT list)

Fixed In
--------

* Python **2.7.14** (2017-09-16) fixed by `commit d4324ba (branch 2.7) <https://github.com/python/cpython/commit/d4324baca4c03eb8d55446cd1b74b32ec5633af5>`_ (2017-06-20)
* Python **3.3.7** (2017-09-19) fixed by `commit 052f9d6 (branch 3.3) <https://github.com/python/cpython/commit/052f9d6860c48c5abcff8e16212e77cf4249d66c>`_ (2017-07-26)
* Python **3.4.7** (2017-08-09) fixed by `commit cc54c1c (branch 3.4) <https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262>`_ (2017-07-12)
* Python **3.5.4** (2017-08-07) fixed by `commit 4899d84 (branch 3.5) <https://github.com/python/cpython/commit/4899d847ed3f56b2a712799f896aa1f28540a5c0>`_ (2017-06-20)
* Python **3.6.2** (2017-07-08) fixed by `commit b0fba88 (branch 3.6) <https://github.com/python/cpython/commit/b0fba8874a4bd6bf4773e6efdbd8fa762e9f05bd>`_ (2017-06-20)
* Python **3.7.0** (2018-06-27) fixed by `commit 90e01e5 (branch 3.7) <https://github.com/python/cpython/commit/90e01e50ef8a9e6c91f30d965563c378a4ad26de>`_ (2017-06-20)

Python issue
------------

[security] urllib connects to a wrong host.

* Python issue: `bpo-30500 <https://bugs.python.org/issue30500>`_
* Creation date: 2017-05-29
* Reporter: Nam Nguyen

Timeline
--------

Timeline using the disclosure date **2017-05-29** as reference:

* 2017-03-04 (**-86 days**): Reported (Orange Tsai on the PSRT list)
* 2017-05-29: `Python issue bpo-30500 <https://bugs.python.org/issue30500>`_ reported by Nam Nguyen
* 2017-06-20 (**+22 days**): `commit 4899d84 (branch 3.5) <https://github.com/python/cpython/commit/4899d847ed3f56b2a712799f896aa1f28540a5c0>`_
* 2017-06-20 (**+22 days**): `commit 90e01e5 (branch 3.7) <https://github.com/python/cpython/commit/90e01e50ef8a9e6c91f30d965563c378a4ad26de>`_
* 2017-06-20 (**+22 days**): `commit b0fba88 (branch 3.6) <https://github.com/python/cpython/commit/b0fba8874a4bd6bf4773e6efdbd8fa762e9f05bd>`_
* 2017-06-20 (**+22 days**): `commit d4324ba (branch 2.7) <https://github.com/python/cpython/commit/d4324baca4c03eb8d55446cd1b74b32ec5633af5>`_
* 2017-07-08 (**+40 days**): Python 3.6.2 released
* 2017-07-12 (**+44 days**): `commit cc54c1c (branch 3.4) <https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262>`_
* 2017-07-26 (**+58 days**): `commit 052f9d6 (branch 3.3) <https://github.com/python/cpython/commit/052f9d6860c48c5abcff8e16212e77cf4249d66c>`_
* 2017-08-07 (**+70 days**): Python 3.5.4 released
* 2017-08-09 (**+72 days**): Python 3.4.7 released
* 2017-09-16 (**+110 days**): Python 2.7.14 released
* 2017-09-19 (**+113 days**): Python 3.3.7 released
* 2018-06-27: Python 3.7.0 released