10000 gh-105704: Disallow square brackets (`[` and `]`) in domain names for parsed URLs by sethmlarson · Pull Request #129418 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

gh-105704: Disallow square brackets ([ and ]) in domain names for parsed URLs #129418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 31, 2025
Merged

gh-105704: Disallow square brackets ([ and ]) in domain names for parsed URLs #129418

merged 4 commits into from
Jan 31, 2025

Conversation

sethmlarson
Copy link
Contributor
@sethmlarson sethmlarson commented Jan 28, 2025
edited
Loading

Opening this pull request in favor of #111261, as the original author appears to not be responding to reviews. This moves the error to occur during parsing instead of on the ParseResult properties.

cc @gpshead @orsenthil @pschoen-itsc as reviewers on the previous PR.

@sethmlarson sethmlarson added type-security A security issue needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jan 28, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jan 28, 2025
Closed
vstinner
vstinner reviewed Jan 30, 2025
View reviewed changes
Lib/test/test_urlparse.py
self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be helpful to add tests only with [, and tests only with ]. Such URL is also invalid, no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'll add tests with that structure too! Thanks :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in ebf92bb

sethmlarson and others added 2 commits January 30, 2025 09:50
@sethmlarson @ZeroIntensity
Use Sphinx references
3ab35e8 
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
@sethmlarson
Add mismatched bracket test cases, fix news format
ebf92bb
@sethmlarson sethmlarson requested a review from vstinner January 30, 2025 17:48
orsenthil
orsenthil approved these changes Jan 30, 2025
View reviewed changes
Copy link
Member
@orsenthil orsenthil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thank you!

@sethmlarson
Copy link
Contributor Author

The failure in Windows free-threading looks unrelated, I can't merge without all the checks passing so if someone else can that would be appreciated 💜
8000

@orsenthil orsenthil enabled auto-merge (squash) January 31, 2025 16:50
@orsenthil orsenthil disabled auto-merge January 31, 2025 16:50
@orsenthil
Copy link
Member

Looks like that's a required to succeed.

@orsenthil orsenthil merged commit d89a5f6 into python:main Jan 31, 2025
43 checks passed
@miss-islington-app
Copy link

Thanks @sethmlarson for the PR, and @orsenthil for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jan 31, 2025
@sethmlarson @ZeroIntensity @miss-islington
pythongh-105704: Disallow square brackets ([ and ]) in domain nam…
6117a60 
…es for parsed URLs (pythonGH-129418)

* pythongh-105704: Disallow square brackets ( and ) in domain names for parsed URLs

* Use Sphinx references

Co-authored-by: Peter Bierma <zintensitydev@gmail.com>

* Add mismatched bracket test cases, fix news format

* Add more test coverage for ports

---------

(cherry picked from commit d89a5f6)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
@bedevere-app
Copy link
bedevere-app bot commented Jan 31, 2025

GH-129526 is a backport of this pull request to the 3.13 branch.

This was referenced Feb 3, 2025
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
srinivasreddy pushed a commit to srinivasreddy/cpython that referenced this pull request Feb 7, 2025
@sethmlarson @ZeroIntensity @srinivasreddy
pythongh-105704: Disallow square brackets ([ and ]) in domain nam…
1f1424b 
…es for parsed URLs (python#129418)

* pythongh-105704: Disallow square brackets ( and ) in domain names for parsed URLs

* Use Sphinx references

Co-authored-by: Peter Bierma <zintensitydev@gmail.com>

* Add mismatched bracket test cases, fix news format

* Add more test coverage for ports

---------

Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
@github-actions github-actions bot mentioned this pull request Feb 7, 2025
Merged
1 task
@The-Compiler The-Compiler mentioned this pull request Feb 17, 2025
Closed
The-Compiler added a commit to qutebrowser/qutebrowser that referenced this pull request Feb 17, 2025
@The-Compiler
Update urlmatch tests for Python fixes
accce7f 
python/cpython#78541
python/cpython#105704
python/cpython#129418
ambv pushed a commit that referenced this pull request Feb 19, 2025
@miss-islington @sethmlarson @ZeroIntensity
[3.11] gh-105704: Disallow square brackets ([ and ]) in domain na…
526617e 
…mes for parsed URLs (GH-129418) (#129528)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
ambv added a commit that referenced this pull request Feb 19, 2025
@miss-islington @sethmlarson
@ZeroIntensity @ambv
[3.10] gh-105704: Disallow square brackets ([ and ]) in domain na…
b8b4b71 
…mes for parsed URLs (GH-129418) (#129529)

(cherry picked from commit d89a5f6)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
ambv added a commit that referenced this pull request Feb 19, 2025
@miss-islington @sethmlarson
@ZeroIntensity @ambv
[3.9] gh-105704: Disallow square brackets ([ and ]) in domain nam…
ff4e5c2 
…es for parsed URLs (GH-129418) (#129530)

(cherry picked from commit d89a5f6)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
gentoo-bot pushed a commit to gentoo/cpython that referenced this pull request Apr 9, 2025
@miss-islington @sethmlarson
@ZeroIntensity @ambv @mgorny
[3.9] pythongh-105704: Disallow square brackets ([ and ]) in doma…
558d39c 
…in names for parsed URLs (pythonGH-129418) (python#129530)

(cherry picked from commit d89a5f6)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
This was referenced May 19, 2025
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZeroIntensity ZeroIntensity ZeroIntensity left review comments

@orsenthil orsenthil orsenthil approved these changes

@gpshead gpshead Awaiting requested review from gpshead

@vstinner vstinner Awaiting requested review from vstinner

Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sethmlarson @orsenthil @bedevere-bot @vstinner @ZeroIntensity
0