urlsplit does not handle NFKC normalization (second fix)

Follow up of the urllib NFKC normalization vulnerability: the fix ignored the user/password before @ whereas it still allowed to exploit the vulnerability.

The second fix no longer ignores the part before @.

  • Disclosure date: 2019-04-27 (Python issue bpo-36742 reported)
  • Reported at: 2019-06-03 (email to PSRT)
  • Reported by: Riccardo Schirone (Red Hat)

Fixed In

Vulnerable Versions

  • Python 2.7 (need release)
  • Python 3.5 (need release)

Python issue

urlsplit doesn’t accept a NFKD hostname with a port number.

  • Python issue: bpo-36742
  • Creation date: 2019-04-27
  • Reporter: Chihiro Ito


Timeline using the disclosure date 2019-04-27 as reference: