Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-142412: Add warning about urlsplit's netloc parsing and open redirects#144448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed

Conversation

@kovan
Copy link

@kovankovan commentedFeb 3, 2026
edited by github-actionsbot
Loading

Summary

  • Adds a warning to the URL parsing security section explaining thaturlsplit/urlparse only parse thenetloc when preceded by//
  • Documents that URLs like///example.com/path result in an emptynetloc and apath of/example.com/path
  • Warns that this behavior may lead to open redirect vulnerabilities if applications rely solely on checking thenetloc to validate redirect URLs

Test plan

  • make check passed in Doc/ directory
  • Documentation builds correctly

🤖 Generated withClaude Code

📚 Documentation preview 📚:https://cpython-previews--144448.org.readthedocs.build/

… redirectsAdd a warning to the URL parsing security section explaining thaturlsplit/urlparse only parse the netloc when preceded by //. Thisbehavior can lead to open redirect vulnerabilities if applicationsrely solely on checking the netloc to validate redirect URLs.Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copy link
Member

@picnixzpicnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The placing of this note is incorrect and likely auto-generated. In addition, the warning is useless as we're already in a "beware of [...]" section. I would prefer addressing this after we addressed the fate of urlparse in general (and its placement) as a follow-up of#144148.

So for now, I'm closing it.

sense? Is that a sensible ``path``? Is there anything strange about that
``hostname``? etc.

.. warning::
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It does not make sense to have a warning note here. In addition, its placing interrupts the flow of the current text and is quite off-topic here.

@bedevere-app
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phraseI have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@picnixzpicnixzpicnixz requested changes

Assignees

No one assigned

Labels

awaiting changesdocsDocumentation in the Doc dirskip news

Projects

Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kovan@picnixz
[8]ページ先頭
©2009-2026 Movatter.jp