bpo-30500: urllib connects to a wrong host¶
The urllib module doesn’t parse correctly password containing the #
character.
- Disclosure date: 2017-05-29 (Python issue bpo-30500 reported)
- Reported at: 2017-03-04 (Orange Tsai on the PSRT list)
Fixed In¶
- Python 2.7.14 (2017-09-17) fixed by commit d4324ba (branch 2.7) (2017-06-20)
- Python 3.3.7 (2017-09-19) fixed by commit 052f9d6 (branch 3.3) (2017-07-26)
- Python 3.4.7 (2017-08-09) fixed by commit cc54c1c (branch 3.4) (2017-07-12)
- Python 3.5.4 (2017-08-08) fixed by commit 4899d84 (branch 3.5) (2017-06-20)
- Python 3.6.2 (2017-07-17) fixed by commit b0fba88 (branch 3.6) (2017-06-20)
- Python 3.7.0 (2018-06-28) fixed by commit 90e01e5 (branch 3.7) (2017-06-20)
Python issue¶
[security] urllib connects to a wrong host.
- Python issue: bpo-30500
- Creation date: 2017-05-29
- Reporter: Nam Nguyen
Timeline¶
Timeline using the disclosure date 2017-05-29 as reference:
- 2017-03-04 (-86 days): Reported (Orange Tsai on the PSRT list)
- 2017-05-29: Python issue bpo-30500 reported by Nam Nguyen
- 2017-06-20 (+22 days): commit 4899d84 (branch 3.5)
- 2017-06-20 (+22 days): commit 90e01e5 (branch 3.7)
- 2017-06-20 (+22 days): commit b0fba88 (branch 3.6)
- 2017-06-20 (+22 days): commit d4324ba (branch 2.7)
- 2017-07-12 (+44 days): commit cc54c1c (branch 3.4)
- 2017-07-17 (+49 days): Python 3.6.2 released
- 2017-07-26 (+58 days): commit 052f9d6 (branch 3.3)
- 2017-08-08 (+71 days): Python 3.5.4 released
- 2017-08-09 (+72 days): Python 3.4.7 released
- 2017-09-17 (+111 days): Python 2.7.14 released
- 2017-09-19 (+113 days): Python 3.3.7 released
- 2018-06-28: Python 3.7.0 released