Skip to content
Snippets Groups Projects
Unverified Commit 439b9cfa authored by Ben Kallus's avatar Ben Kallus Committed by GitHub
Browse files

gh-99418: Make urllib.parse.urlparse enforce that a scheme must begin with an...

gh-99418: Make urllib.parse.urlparse enforce that a scheme must begin with an alphabetical ASCII character. (#99421)

Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.

RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`

The WHATWG URL spec defines a scheme like this:
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
parent 50b04151
Branches
Tags
No related merge requests found
......@@ -668,6 +668,24 @@ def test_attributes_bad_port(self):
with self.assertRaises(ValueError):
p.port
def test_attributes_bad_scheme(self):
"""Check handling of invalid schemes."""
for bytes in (False, True):
for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
for scheme in (".", "+", "-", "0", "http&", "६http"):
with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
url = scheme + "://www.example.net"
if bytes:
if url.isascii():
url = url.encode("ascii")
else:
continue
p = parse(url)
if bytes:
self.assertEqual(p.scheme, b"")
else:
self.assertEqual(p.scheme, "")
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
......
......@@ -460,7 +460,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
allow_fragments = bool(allow_fragments)
netloc = query = fragment = ''
i = url.find(':')
if i > 0:
if i > 0 and url[0].isascii() and url[0].isalpha():
for c in url[:i]:
if c not in scheme_chars:
break
......
Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
with a digit, a plus sign, or a minus sign to be parsed incorrectly.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment