urlparse has a parsing problem when the entire URL starts with blank characters.
This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.
A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution.
The vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.
CERT Coordination Center, CERT/CC says in an advisory.
Although blocklist is generally considered an inferior choice, there are many scenarios where blocklists still need, Cao said.
He emphasizes the importance of this vulnerability
👋 Feeling the vibes?
Keep the good energy going by checking out my Amazon affiliate link for some cool finds! 🛍️
If not, consider contributing to my caffeine supply at Buy Me a Coffee ☕️.
Your clicks = cosmic support for more awesome content! 🚀🌈
Leave a Reply