bpo-30500: urllib connects to a wrong host


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

The urllib module doesn’t parse correctly password containing the # character.


  • Disclosure date: 2017-05-29 (Python issue bpo-30500 reported)
  • Reported at: 2017-03-04 (Orange Tsai on the PSRT list)

Fixed In

Python issue

[security] urllib connects to a wrong host.

  • Python issue: bpo-30500
  • Creation date: 2017-05-29
  • Reporter: Nam Nguyen


Timeline using the disclosure date 2017-05-29 as reference: