bpo-30500: urllib connects to a wrong host

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

The urllib module doesn’t parse correctly password containing the # character.

Dates:

• Disclosure date: 2017-05-29 (Python issue bpo-30500 reported)
• Reported at: 2017-03-04 (Orange Tsai on the PSRT list)

Fixed In

• Python 2.7.14 (2017-09-16) fixed by commit d4324ba (branch 2.7) (2017-06-20)
• Python 3.3.7 (2017-09-19) fixed by commit 052f9d6 (branch 3.3) (2017-07-26)
• Python 3.4.7 (2017-08-09) fixed by commit cc54c1c (branch 3.4) (2017-07-12)
• Python 3.5.4 (2017-08-07) fixed by commit 4899d84 (branch 3.5) (2017-06-20)
• Python 3.6.2 (2017-07-08) fixed by commit b0fba88 (branch 3.6) (2017-06-20)
• Python 3.7.0 (2018-06-27) fixed by commit 90e01e5 (branch 3.7) (2017-06-20)

Python issue

[security] urllib connects to a wrong host.

• Python issue: bpo-30500
• Creation date: 2017-05-29
• Reporter: Nam Nguyen

Timeline

Timeline using the disclosure date 2017-05-29 as reference:

• 2017-03-04 (-86 days): Reported (Orange Tsai on the PSRT list)
• 2017-05-29: Python issue bpo-30500 reported by Nam Nguyen
• 2017-06-20 (+22 days): commit 4899d84 (branch 3.5)
• 2017-06-20 (+22 days): commit 90e01e5 (branch 3.7)
• 2017-06-20 (+22 days): commit b0fba88 (branch 3.6)
• 2017-06-20 (+22 days): commit d4324ba (branch 2.7)
• 2017-07-08 (+40 days): Python 3.6.2 released
• 2017-07-12 (+44 days): commit cc54c1c (branch 3.4)
• 2017-07-26 (+58 days): commit 052f9d6 (branch 3.3)
• 2017-08-07 (+70 days): Python 3.5.4 released
• 2017-08-09 (+72 days): Python 3.4.7 released
• 2017-09-16 (+110 days): Python 2.7.14 released
• 2017-09-19 (+113 days): Python 3.3.7 released
• 2018-06-27: Python 3.7.0 released