Hi, I wrote a PR to fix the following urllib security vulnerability:
"urlparse of urllib returns wrong hostname" https://bugs.python.org/issue36338 https://github.com/python/cpython/pull/16780 While writing my fix, I found another issue about "[" and "]" characters in the user:password section of an URL: "urllib IPv6 parsing fails with special characters in passwords" https://bugs.python.org/issue33342 My PR tries to validate the "scope" part of "http://[IPv6%scope]/...": reject "%", "[" and "]" in scope. But I'm not sure that Python should really support the scope in an URL. Should we just reject URL with "%scope"? Or if we allow it, which characters should be allowed and/or rejected? It seems like Firefox and Chromium don't support an IPv6 with as a scope: when I type http://[::1%1]/ : they open a Google search on this URL. I tested Python urllib.request.urlopen() with my PR: http://[::1%1]:8080/ works as expected: it opens a connection to the IPv6 localhost in the loopback interface (TCP port 8080). Currently, my PR allows "%scope" but it rejects "%", "[" and "]" characters in the scope. I let you go through these 2 RFC about IPv6 scope / "zone identifier": https://tools.ietf.org/html/rfc4007 https://tools.ietf.org/html/rfc6874 Victor -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/T7NJBO6B32KZZ5KAXJXHT7CTKU7634UU/ Code of Conduct: http://python.org/psf/codeofconduct/
