bpo-30500: urllib connects to a wrong host

The urllib module doesn’t parse correctly password containing the # character.

  • Disclosure date: 2017-05-29 (Python issue #30500 reported)
  • Reported at: 2017-03-04 (Orange Tsai on the PSRT list)

Vulnerable Versions

  • Python 2.7
  • Python 3.3
  • Python 3.4
  • Python 3.5
  • Python 3.6

Python issue

urllib connects to a wrong host.

  • Python issue: issue #30500
  • Creation date: 2017-05-29
  • Reporter: Nam Nguyen

Timeline

Timeline using the disclosure date 2017-05-29 as reference:

  • 2017-03-04 (-86 days): Reported (Orange Tsai on the PSRT list)
  • 2017-05-29: Python issue #30500 reported by Nam Nguyen