urlsplit does not handle NFKC normalization (second fix)

Follow up of the urllib NFKC normalization vulnerability: the fix ignored the user/password before @ whereas it still allowed to exploit the vulnerability.

The second fix no longer ignores the part before @.

  • Disclosure date: 2019-04-27 (Python issue bpo-36742 reported)
  • Reported at: 2019-06-03 (email to PSRT)
  • Reported by: Riccardo Schirone (Red Hat)

Vulnerable Versions

  • Python 2.7
  • Python 3.5
  • Python 3.6
  • Python 3.7

Python issue

urlsplit doesn’t accept a NFKD hostname with a port number.

  • Python issue: bpo-36742
  • Creation date: 2019-04-27
  • Reporter: Chihiro Ito

Timeline

Timeline using the disclosure date 2019-04-27 as reference: