Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

urllib.request resolves the host before checking it against the system's proxy bypass list [Security: LOW, minor info leak] #115197

Closed
Assignees
gpsheadsethmlarson
Labels
3.10only security fixes3.11only security fixes3.12only security fixes3.13bugs and security fixes3.8 (EOL)end of life3.9 (EOL)end of lifeOS-macOS-windowstype-bugAn unexpected behavior, bug, or errortype-securityA security issue
@weiiwang01

Description

@weiiwang01

Bug report

Bug description:

When system proxy bypass list is set, the urllib.request library on macOS and Windows resolves the hostname to an IP address and the IP address to a hostname (on Windows) before checking it against the system proxy bypass list (seehere andhere).

This causes DNS leak and HTTP requests to hang while waiting for DNS timeout in some air-gaped environments. This behavior also differs from other system applications (tested on macOS Sonoma with Safari and Windows Server 2022 with the Edge browser).

Test process on macOS and Windows:

Creating an A record from<my-test-domain>.net to<my-test-ip>.

macOS with Safari:

In the system network setting:

  • "Web proxy (HTTP)" is set to 172.16.0.1:8000
  • "Secure web proxy (HTTPS)" is set to 172.16.0.1:8000
  • "Bypass proxy settings" is set to<my-test-ip>

In Safari:

  • visitinghttp://<my-test-ip>: does not use the proxy
  • visitinghttp://<my-test-domain>.net: uses the proxy

Windows Server 2022 with Edge browser:

in system network setting:

  • "HTTP proxy" is set to 172.16.0.1:8000
  • "Do not use proxy server" is set to<my-test-ip>

In Edge browser:

  • visitinghttp://<my-test-ip>: does not use the proxy
  • visitinghttp://<my-test-domain>.net: uses the proxy

urllib.request on Windows also resolves the IP address back to FQDN before check, here's a test for that:

Windows Server 2022 with Edge browser:

Update the Host file so the IP address can be resolved back to FQDN (socket.getfqdn("<my-test-ip>") == "<my-test-domain>.net").

In system network setting:

  • "HTTP proxy" is set to 172.16.0.1:8000
  • "Do not use proxy server" is set to .net

In Edge browser:

  • visitinghttp://<my-test-ip>: uses the proxy
  • visitinghttp://<my-test-domain>.net: does not use the proxy

CPython versions tested on:

CPython main branch

Operating systems tested on:

macOS, Windows

Linked PRs

Metadata

Metadata

Labels

3.10only security fixes3.11only security fixes3.12only security fixes3.13bugs and security fixes3.8 (EOL)end of life3.9 (EOL)end of lifeOS-macOS-windowstype-bugAn unexpected behavior, bug, or errortype-securityA security issue

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    [8]ページ先頭
    ©2009-2025 Movatter.jp