urlsplit does not handle NFKC normalization (second fix)

Follow up of the urllib NFKC normalization vulnerability: the fix ignored the user/password before @ whereas it still allowed to exploit the vulnerability.

The second fix no longer ignores the part before @.

• Disclosure date: 2019-04-27 (Python issue bpo-36742 reported)
• Reported at: 2019-06-03 (email to PSRT)
• Reported by: Riccardo Schirone (Red Hat)

Fixed In

• Python 3.6.9 (2019-07-03) fixed by commit fd1771d (branch 3.6) (2019-06-04)
• Python 3.7.4 (2019-07-09) fixed by commit 250b62a (branch 3.7) (2019-06-04)

Vulnerable Versions

• Python 2.7 (need release)
• Python 3.5 (need release)

Python issue

urlsplit doesn’t accept a NFKD hostname with a port number.

• Python issue: bpo-36742
• Creation date: 2019-04-27
• Reporter: Chihiro Ito

Timeline

Timeline using the disclosure date 2019-04-27 as reference:

• 2019-04-27: Python issue bpo-36742 reported by Chihiro Ito
• 2019-06-03 (+37 days): Reported (email to PSRT)
• 2019-06-04 (+38 days): commit 250b62a (branch 3.7)
• 2019-06-04 (+38 days): commit 8d0ef0b (branch 3.8)
• 2019-06-04 (+38 days): commit f61599b (branch 2.7)
• 2019-06-04 (+38 days): commit fd1771d (branch 3.6)
• 2019-07-03 (+67 days): Python 3.6.9 released
• 2019-07-09 (+73 days): Python 3.7.4 released
• 2019-07-14 (+78 days): commit 4655d57 (branch 3.5)

Links

• https://www.cvedetails.com/cve/CVE-2019-10160/