gh-137146: Validate IPv6 ZoneID characters against RFC 6874 in urllib.parse #137148
+13
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…pliant set
The current parsing logic for IPv6 addresses with Zone Identifiers (ZoneIDs)
uses the `ipaddress` module, which validates ZoneIDs according to RFC 4007,
allowing any non-null string. However, when used in URLs, ZoneIDs must follow
the percent-encoded format defined in RFC 6874.
This patch adds a check to restrict ZoneIDs to the allowed characters:
ALPHA / DIGIT / "-" / "." / "_" / "~" / "% HEXDIG HEXDIG"
RFC 6874 §2.1 specifies the format of an IPv6 address with a ZoneID in a URI as:
`IPv6addrz = IPv6address "%25" ZoneID`
Additionally, RFC 6874 recommends accepting a bare `%` without hex digits as a
liberal extension, but that flexibility still requires ZoneID content to conform
to a safe character set. This patch enforces that ZoneIDs do not include
characters outside the permitted range.
### Before the fix:
```py
>>> import urllib.parse
>>> urllib.parse.urlparse("http://[::1%2|test]/path")
ParseResult(scheme='http', netloc='[::1%2|test]', path='/path', ...)
```
Invalid characters such as `|` were incorrectly accepted in ZoneIDs.
### After the fix:
```py
>>> import urllib.parse
>>> urllib.parse.urlparse("http://[::1%2|test]/path")
Traceback (most recent call last):
...
ValueError: IPv6 ZoneID is invalid
```
This patch ensures `urllib.parse` properly rejects ZoneIDs with invalid characters,
improving compliance with the URI standards and helping prevent subtle bugs
or security vulnerabilities.
|
In the future, please use the title format I have edited your title too, as so that our automation can recognise it. |
| @@ -0,0 +1 @@ | |||
| Validate IPv6 ZoneID characters in bracketed hostnames to match RFC 6874. `urllib.parse` now rejects ZoneIDs containing invalid or unsafe characters. | |||
There was a problem hiding this comment.
This is reStructuredText, not Markdown, so references look like this:
Suggested change
| Validate IPv6 ZoneID characters in bracketed hostnames to match RFC 6874. `urllib.parse` now rejects ZoneIDs containing invalid or unsafe characters. | |
| Validate IPv6 ZoneID characters in bracketed hostnames to match RFC 6874. :mod:`urllib.parse` now rejects ZoneIDs containing invalid or unsafe characters. |
There was a problem hiding this comment.
urllib.parse is a module, if you want to talk about the function it's urllib.parse.urlparse. I've edited Zero's answer by changing the role as I didn't check which functions are affected (if it's the entire module, it's fine to only quote the module)
There was a problem hiding this comment.
I corrected the blurb and added the tests, thank you for your help.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR tightens the validation of IPv6 Zone Identifiers (ZoneIDs) in bracketed hostnames handled by
urllib.parse(#137146).Problem
Currently,
urllib.parseaccepts any non-null string as a ZoneID, because it delegates IPv6 parsing to theipaddressmodule, which follows RFC 4007. However, RFC 6874 §2.1 defines a stricter character set for ZoneIDs when used in URLs:ZoneIDs in URIs must be percent-encoded and may optionally begin with a literal
%(e.g.,%25) as described in the RFC.Fix
This patch adds an explicit validation step to check that any ZoneID in a URL conforms to the allowed character set.
Before the fix:
After the fix:
Notes
%is present in the hostname (i.e., it's a ZoneID).This improves RFC compliance, reduces risk of incorrect or insecure behavior, and ensures more predictable URL parsing.
urllib.parseaccepts invalid characters in IPv6 ZoneIDs and IPvFuture addresses #137146