CVE-2019-9636 - Can this be exploit over the wire?
On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
> I have been looking into CVE-2019-9636 and I'm not sure that
> python code that works in bytes is vulnerable to this.
I'm not convinced that the CVE (or, at least, the description in the bug report... it's also unclear to me whether this is an accurate example of the CVE) is valid at all. That is, I don't think its suggestion that browsers generally use compatibility normalization in decomposing URLs is correct.
I tried the given address "https://example.com\uff03 at bing.com" (with actual \uff03 character) in Firefox, Chrome, and Edge, and they all accessed bing.com.