codehaus


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2019-9636 - Can this be exploit over the wire?



> On 5 Sep 2019, at 16:18, Random832 <random832 at fastmail.com> wrote:

Thanks for taking the time to reply.

> 
> On Wed, Sep 4, 2019, at 13:36, Barry Scott wrote:
>> The conclusion I reached is that the CVE only applies to client code 
>> that allows a URL in unicode to be entered.
>> 
>> Have I missed something important in the analysis?
> 
> While as I mentioned in my other post I'm not sure if the CVE's analysis of URL behavior is correct generally,

Agreed, would have liked to have had more details and context.

> you have missed the fact that an HTML page can provide URLs in unicode, either with the page itself encoded in UTF-8, or with whatever characters escaped as XML character references... not only as bytes in IDNA or percent-escaped hex. The same principle applies to other formats in which URLs might be interchanged as encoded unicode strings, such as JSON. The fact that accessing such a URL requires converting the non-ASCII parts to IDNA (for the domain part) or percent-escaped hex (for other parts) doesn't limit this to user input.
> 
> <a href="https://example.com&#xff03;@bing.com";>like this</a>


That gets the unicode version into the app and then the bug can be triggered.

In my case this is not a way in as the code does not parse web pages.

Barry



> -- 
> https://mail.python.org/mailman/listinfo/python-list
>