Xianbo Wang added the comment:
Python2 urlparse.urlparse and urllib2.urlparse.urlparse have a similar IPv6
hostname parsing bug.
>>> urlparse.urlparse('http://nevil.com[]').hostname
>>> 'evil.com['
This is less practical to exploit since the parsed domain contains a '['
New submission from Xianbo Wang :
The urlparse function in Python urllib returns the wrong hostname when parsing
URL crafted by the malicious user. This may be caused by incorrect handling of
IPv6 addresses. The bug could lead to open redirect in web applications which
rely on urlparse
