CVE-2019-9636: urlsplit does not handle NFKC normalization¶
URLs encoded with Punycode/IDNA use NFKC normalization to decompose characters. This can result in some characters introducing new segments into a URL.
- Disclosure date: 2019-03-06 (Python issue bpo-36216 reported)
- Reported at: 2019-02-16 (email to PSRT)
- Reported by: Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou
- Python 2.7
- Python 3.4
- Python 3.5
- Python 3.6
- Python 3.7
urlsplit does not handle NFKC normalization.
- Python issue: bpo-36216
- Creation date: 2019-03-06
- Reporter: Steve Dower
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
- CVE ID: CVE-2019-9636
- Published: 2019-03-08
Timeline using the disclosure date 2019-03-06 as reference:
- 2019-02-16 (-18 days): Reported (email to PSRT)
- 2019-03-06: Python issue bpo-36216 reported by Steve Dower
- 2019-03-07 (+1 days): commit 16e6f7d (branch 3.8)
- 2019-03-07 (+1 days): commit daad2c4 (branch 3.7)
- 2019-03-07 (+1 days): commit e37ef41 (branch 2.7)
- 2019-03-08 (+2 days): CVE-2019-9636 published