Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 29f348e

Browse filesBrowse files
JohnJamesUtleygpshead
JohnJamesUtley
and
gpshead
authored
pythongh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (python#103849)
* Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format --------- Co-authored-by: Gregory P. Smith <greg@krypto.org>
1 parent 2c863b3 commit 29f348e
Copy full SHA for 29f348e

File tree

3 files changed

+43
-1
lines changed
Filter options

3 files changed

+43
-1
lines changed

‎Lib/test/test_urlparse.py

Copy file name to clipboardExpand all lines: Lib/test/test_urlparse.py
+26Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1042,6 +1042,32 @@ def test_issue14072(self):
10421042
self.assertEqual(p2.scheme, 'tel')
10431043
self.assertEqual(p2.path, '+31641044153')
10441044

1045+
def test_invalid_bracketed_hosts(self):
1046+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[192.0.2.146]/Path?Query')
1047+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[important.com:8000]/Path?Query')
1048+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123r.IP]/Path?Query')
1049+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v12ae]/Path?Query')
1050+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v.IP]/Path?Query')
1051+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123.]/Path?Query')
1052+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v]/Path?Query')
1053+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
1054+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
1055+
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
1056+
1057+
def test_splitting_bracketed_hosts(self):
1058+
p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
1059+
self.assertEqual(p1.hostname, 'v6a.ip')
1060+
self.assertEqual(p1.username, 'user')
1061+
self.assertEqual(p1.path, '/path')
1062+
p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
1063+
self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
1064+
self.assertEqual(p2.username, 'user')
1065+
self.assertEqual(p2.path, '/path')
1066+
p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
1067+
self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
1068+
self.assertEqual(p3.username, 'user')
1069+
self.assertEqual(p3.path, '/path')
1070+
10451071
def test_port_casting_failure_message(self):
10461072
message = "Port could not be cast to integer value as 'oracle'"
10471073
p1 = urllib.parse.urlparse('http://Server=sde; Service=sde:oracle')

‎Lib/urllib/parse.py

Copy file name to clipboardExpand all lines: Lib/urllib/parse.py
+15-1Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
import re
3434
import types
3535
import warnings
36+
import ipaddress
3637

3738
__all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
3839
"urlsplit", "urlunsplit", "urlencode", "parse_qs",
@@ -427,6 +428,17 @@ def _checknetloc(netloc):
427428
raise ValueError("netloc '" + netloc + "' contains invalid " +
428429
"characters under NFKC normalization")
429430

431+
# Valid bracketed hosts are defined in
432+
# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
433+
def _check_bracketed_host(hostname):
434+
if hostname.startswith('v'):
435+
if not re.match(r"\Av[a-fA-F0-9]+\..+\Z", hostname):
436+
raise ValueError(f"IPvFuture address is invalid")
437+
else:
438+
ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
439+
if isinstance(ip, ipaddress.IPv4Address):
440+
raise ValueError(f"An IPv4 address cannot be in brackets")
441+
430442
# typed=True avoids BytesWarnings being emitted during cache key
431443
# comparison since this API supports both bytes and str input.
432444
@functools.lru_cache(typed=True)
@@ -466,12 +478,14 @@ def urlsplit(url, scheme='', allow_fragments=True):
466478
break
467479
else:
468480
scheme, url = url[:i].lower(), url[i+1:]
469-
470481
if url[:2] == '//':
471482
netloc, url = _splitnetloc(url, 2)
472483
if (('[' in netloc and ']' not in netloc) or
473484
(']' in netloc and '[' not in netloc)):
474485
raise ValueError("Invalid IPv6 URL")
486+
if '[' in netloc and ']' in netloc:
487+
bracketed_host = netloc.partition('[')[2].partition(']')[0]
488+
_check_bracketed_host(bracketed_host)
475489
if allow_fragments and '#' in url:
476490
url, fragment = url.split('#', 1)
477491
if '?' in url:

‎Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst

Copy file name to clipboard
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Add checks to ensure that ``[`` bracketed ``]`` hosts found by
2+
:func:`urllib.parse.urlsplit` are of IPv6 or IPvFuture format.

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.