I wrote a PR to fix the following urllib security vulnerability:
While writing my fix, I found another issue about "[" and "]" characters in the user:password section of an URL:
"urllib IPv6 parsing fails with special characters in passwords" https://bugs.python.org/issue33342
My PR tries to validate the "scope" part of "http://%5BIPv6%scope%5D/...": reject "%", "[" and "]" in scope. But I'm not sure that Python should really support the scope in an URL. Should we just reject URL with "%scope"? Or if we allow it, which characters should be allowed and/or rejected?
It seems like Firefox and Chromium don't support an IPv6 with as a scope: when I type http://%5B::1%1%5D/ : they open a Google search on this URL.
I tested Python urllib.request.urlopen() with my PR: http://%5B::1%1%5D:8080/ works as expected: it opens a connection to the IPv6 localhost in the loopback interface (TCP port 8080).
Currently, my PR allows "%scope" but it rejects "%", "[" and "]" characters in the scope.
I let you go through these 2 RFC about IPv6 scope / "zone identifier":