unfurl Parsing misclassification if the password begins with ? or / or #

Parsing misclassification if the password begins with ? or / or #

Open 2xyo opened this issue 5 years ago • 3 comments

trafficstars

These URLs cause a misclassification:

http://test:[email protected]
- test: -> URL network location
- [email protected] -> URL query
http://test:/[email protected]
- test: -> URL network location
- /[email protected] -> URL path
http://test:#[email protected]
- test: -> URL network location
- [email protected] -> URL fragment

The misclassification appears if the password begins with a delimiter defined in RFC3986, section 3.2:

The authority component is preceded by a double slash ("//") and is
terminated by the next slash ("/"), question mark ("?"), or number
sign ("#") character, or by the end of the URI.

Dec 13 '19 12:12 2xyo

Unfurl uses urllib.parse for this functionality, and it appears this bug is known / being fixed (https://bugs.python.org/issue37854), although the time frame is unclear to me.

I think we'll wait for the urllib.parse bug to get fixed over re-implementing ourselves. Thank you for the bug report though!

Jan 08 '20 23:01 obsidianforensics

Checked urllib's bug again, still no progress.

Sep 14 '20 21:09 obsidianforensics

Checked urllib's bug again, still no progress.

Jan 15 '22 17:01 obsidianforensics

unfurl unfurl copied to clipboard

Parsing misclassification if the password begins with ? or / or #

unfurl
unfurl copied to clipboard