diff options
| author |   Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-11-13 11:00:25 -0800 |
|---|---|---|
| committer |   Michał Górny <mgorny@gentoo.org> | 2024-01-15 14:39:10 +0100 |
| commit | 715cd9e32f1f6ed2ed1dd17b5f89aa46495efc07 (patch) | |
| tree | 24d50b705e23809089b3750f80075931e467ef68 | |
| parent | gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93... (diff) | |
| download | pypy-715cd9e32f1f6ed2ed1dd17b5f89aa46495efc07.tar.gz pypy-715cd9e32f1f6ed2ed1dd17b5f89aa46495efc07.tar.bz2 pypy-715cd9e32f1f6ed2ed1dd17b5f89aa46495efc07.zip | |
gh-99418: Make urllib.parse.urlparse enforce that a scheme must begin with an alphabetical ASCII character. (GH-99421)gentoo-3.9-7.3.15
Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
The WHATWG URL spec defines a scheme like this:
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
| -rw-r--r-- | lib-python/3/test/test_urlparse.py | 18 | ||||
| -rw-r--r-- | lib-python/3/urllib/parse.py | 2 |
2 files changed, 19 insertions, 1 deletions
diff --git a/lib-python/3/test/test_urlparse.py b/lib-python/3/test/test_urlparse.py index 574da5bd69..6528ea2841 100644 --- a/lib-python/3/test/test_urlparse.py +++ b/lib-python/3/test/test_urlparse.py @@ -724,6 +724,24 @@ class UrlParseTestCase(unittest.TestCase): with self.assertRaises(ValueError): p.port + def test_attributes_bad_scheme(self): + """Check handling of invalid schemes.""" + for bytes in (False, True): + for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): + for scheme in (".", "+", "-", "0", "http&", "६http"): + with self.subTest(bytes=bytes, parse=parse, scheme=scheme): + url = scheme + "://www.example.net" + if bytes: + if url.isascii(): + url = url.encode("ascii") + else: + continue + p = parse(url) + if bytes: + self.assertEqual(p.scheme, b"") + else: + self.assertEqual(p.scheme, "") + def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled diff --git a/lib-python/3/urllib/parse.py b/lib-python/3/urllib/parse.py index f5d3662313..1bb2f5b4a7 100644 --- a/lib-python/3/urllib/parse.py +++ b/lib-python/3/urllib/parse.py @@ -482,7 +482,7 @@ def urlsplit(url, scheme='', allow_fragments=True): clear_cache() netloc = query = fragment = '' i = url.find(':') - if i > 0: + if i > 0 and url[0].isascii() and url[0].isalpha(): for c in url[:i]: if c not in scheme_chars: break |