> The “urllib.parse” module generally follows RFC 3986, which does not
> allow a literal backslash in the “userinfo” part:
And yet the parse() function seems to allow arbitrary unescaped
characters. This is from 3.8.0a0:
py> from urllib.parse import urlparse
py> urlparse(r'http://spam\eggs!cheese&aardvark@evil.com').netloc
'spam\\eggs!cheese&aardvark@evil.com'
py> urlparse(r'http://spam\eggs!cheese&aardvark@evil.com').hostname
'evil.com'
If that's a bug, it is a separate bug to this issue.
Backslash doesn't seem relevant to the security issue of userinfo being
used to mislead:
py> urlparse('http://www.google.com@evil.com').netloc
'www.google.com@evil.com'
py> urlparse('http://www.google.com@evil.com').hostname
'evil.com'
If it is relevant, can somebody explain to me how?