Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`util.parse_url` allows invalid characters in reg-names

See original GitHub issue

`util.parse_url` allows invalid characters in reg-names.

RFC3986 defines reg-name as follows: reg-name = *( unreserved / pct-encoded / sub-delims ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" pct-encoded = "%" HEXDIG HEXDIG

Currently, urllib3.util.parse_url accepts reg-names containing characters outside those enumerated above. The incorrectly accepted ASCII characters are [\x00-\x20], ", <, >, ^, `, {, |, }, and \x7f.

Environment

>>> print("OS", platform.platform())
OS Linux-6.0.7-arch1-1-x86_64-with-glibc2.36
>>> print("Python", platform.python_version())
urllib3 2.0.0.dev0
>>> print("urllib3", urllib3.__version__)
Python 3.10.8

Steps to Reproduce

>>> import urllib3
>>> urllib3.util.parse_url("http://|") # Whatever happens, "|" should not end up in a reg-name.
Url(scheme='http', auth=None, host='|', port=None, path=None, query=None, fragment=None)
>>> # But it does!

Issue Analytics

State:
Created 10 months ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

kenballuscommented, Nov 22, 2022

I closed the PR because I made it from the main branch of my fork and it had an extraneous fix built in. Working on making a series of PRs, each from separate branches, that fix a few different things.

Currently traveling for Thanksgiving, but will submit in the next few days.

0reactions

sethmlarsoncommented, Nov 19, 2022

@kenballus Yeah that’s a safe assumption, we implement RFC 3986 instead of WHATWG. Why have you closed your PR btw?