urlsplit does not handle NFKC normalization (second fix)

Follow up of the urllib NFKC normalization vulnerability: the fix ignored the user/password before @ whereas it still allowed to exploit the vulnerability.

The second fix no longer ignores the part before @.

• Disclosure date: 2019-04-27 (Python issue bpo-36742 reported)
• Reported at: 2019-06-03 (email to PSRT)
• Reported by: Riccardo Schirone (Red Hat)

Vulnerable Versions

• Python 2.7
• Python 3.5
• Python 3.6
• Python 3.7

Python issue

urlsplit doesn’t accept a NFKD hostname with a port number.

• Python issue: bpo-36742
• Creation date: 2019-04-27
• Reporter: Chihiro Ito

Timeline

Timeline using the disclosure date 2019-04-27 as reference:

• 2019-04-27: Python issue bpo-36742 reported by Chihiro Ito
• 2019-06-03 (+37 days): Reported (email to PSRT)
• 2019-06-04 (+38 days): commit 250b62a (branch 3.7)
• 2019-06-04 (+38 days): commit 8d0ef0b (branch 3.8)
• 2019-06-04 (+38 days): commit f61599b (branch 2.7)
• 2019-06-04 (+38 days): commit fd1771d (branch 3.6)

Links

• https://www.cvedetails.com/cve/CVE-2019-10160/