Background

RFC 3986 defines a scheme like this:

• scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

RFC 2234 defines an ALPHA like this:

• ALPHA = %x41-5A / %x61-7A

The WHATWG URL spec defines a scheme like this:

• "A URL-scheme string must be oneASCII alpha, followed by zero or more ofASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."

The bug

This is the scheme string parsing code fromLib/urllib/parse.py:462-468:

i=url.find(':')ifi>0:forcinurl[:i]:ifcnotinscheme_chars:breakelse:scheme,url=url[:i].lower(),url[i+1:]

This is the definition ofscheme_chars fromLib/urllib/parse.py:77-80:

scheme_chars= ('abcdefghijklmnopqrstuvwxyz''ABCDEFGHIJKLMNOPQRSTUVWXYZ''0123456789''+-.')

This will erroneously validate schemes that begin with any of('.', '-', '+', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'). This behavior is in violation of both specifications.

This bug is reproducible with the following snippet:

>>>fromurllib.parseimporturlparse>>>urlparse(".://")# Should error, but doesn'tParseResult(scheme='.',netloc='',path='',params='',query='',fragment='')

My environment

• CPython versions tested on:
  • 3.12.0a1+ (fb844e1)
  • 3.10.8
• Operating system and architecture:
  • Arch Linux x86_64

• PR:gh-99418: Make urllib.parse.urlparse enforce that a scheme must begin with an alphabetical ASCII character. #99421

• PR:[3.11] gh-99418: Make urllib.parse.urlparse enforce that a scheme must begin with an alphabetical ASCII character. (GH-99421) #99446