Should we allow IPv6 scope in urllib: http://[IPv6%scope]/path?
Hi, I wrote a PR to fix the following urllib security vulnerability: "urlparse of urllib returns wrong hostname" https://bugs.python.org/issue36338 https://github.com/python/cpython/pull/16780 While writing my fix, I found another issue about "[" and "]" characters in the user:password section of an URL: "urllib IPv6 parsing fails with special characters in passwords" https://bugs.python.org/issue33342 My PR tries to validate the "scope" part of "http://[IPv6%scope]/...": reject "%", "[" and "]" in scope. But I'm not sure that Python should really support the scope in an URL. Should we just reject URL with "%scope"? Or if we allow it, which characters should be allowed and/or rejected? It seems like Firefox and Chromium don't support an IPv6 with as a scope: when I type http://[::1%1]/ : they open a Google search on this URL. I tested Python urllib.request.urlopen() with my PR: http://[::1%1]:8080/ works as expected: it opens a connection to the IPv6 localhost in the loopback interface (TCP port 8080). Currently, my PR allows "%scope" but it rejects "%", "[" and "]" characters in the scope. I let you go through these 2 RFC about IPv6 scope / "zone identifier": https://tools.ietf.org/html/rfc4007 https://tools.ietf.org/html/rfc6874 Victor -- Night gathers, and now my watch begins. It shall not end until my death.
participants (1)
-
Victor Stinner