Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-142412: Add warning about urlsplit's netloc parsing and open redirects#144448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
Closed
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletionsDoc/library/urllib.parse.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -530,6 +530,17 @@
sense? Is that a sensible ``path``? Is there anything strange about that
``hostname``? etc.

.. warning::
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It does not make sense to have a warning note here. In addition, its placing interrupts the flow of the current text and is quite off-topic here.


:func:`urlsplit` (and :func:`urlparse`) does not consider a URL's

Check warning on line 535 in Doc/library/urllib.parse.rst

View workflow job for this annotation

GitHub Actions/ Docs / Docs

py:attr reference target not found: urllib.parse.SplitResult.netloc [ref.attr]
:attr:`~urllib.parse.SplitResult.netloc` to be present unless
it is preceded by ``//``. This means that, for example, the URL
``///example.com/path`` will be parsed with an empty ``netloc`` and a
``path`` of ``/example.com/path``. This behavior may lead to open redirect
vulnerabilities in applications that rely on checking the ``netloc`` to
validate redirect URLs. Always carefully validate redirect targets,
preferably using an allowlist of known-safe URLs or hosts.

What constitutes a URL is not universally well defined. Different applications
have different needs and desired constraints. For instance the living `WHATWG
spec`_ describes what user facing web clients such as a web browser require.
Expand Down
Loading
[8]ページ先頭
©2009-2026 Movatter.jp