Message 237837 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	martin.panter
Recipients	anthonyryan1, martin.panter
Date	2015-03-11.02:12:44
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1426039964.72.0.489132088656.issue23636@psf.upfronthosting.co.za>
In-reply-to

Content
See also Issue 16134 for adding RTMP schemes to the registry. However, I wonder if it is time for a more general fix, rather than having an arms race with whatever URL scheme someone dreams up next. According to Issue 7904, urlsplit() etc intentially support parsing the //netloc part for arbitrary URL schemes. However when putting it back together, the urlunsplit() etc functions currently cannot assume it is okay to insert an empty netloc “//”, probably because it would break URLs like tel:+1234 or mailto:somebody@example.net. There are a bunch of URL-parsing issues floating around which may be able to come together to solve each other: * Issue 8339: Round trip stripping empty netloc, apparently closed because the URLs were thought to be invalid (thought I disagree) * Issue 15009: Round trip strips empty netloc for yelp:///foo * Issue 23505: Round trip stripping netloc considered a security issue * Issue 5843: Round trip stripping empty query and fragment strings * Issue 22852: Round trip strips empty fragment In Issue 22852, I proposed adding a series of has_netloc/query/fragment flags to the SplitResult etc classes. If that was implemented, we would not have to worry about whitelisting “scgi:” or other schemes in “uses_netloc”. Instead, urlsplit() would automatically set SplitResult(has_netloc=True), and urlunsplit() would know to restore the empty “//” netloc string.

See also Issue 16134 for adding RTMP schemes to the registry. However, I wonder if it is time for a more general fix, rather than having an arms race with whatever URL scheme someone dreams up next.

According to Issue 7904, urlsplit() etc intentially support parsing the //netloc part for arbitrary URL schemes. However when putting it back together, the urlunsplit() etc functions currently cannot assume it is okay to insert an empty netloc “//”, probably because it would break URLs like tel:+1234 or mailto:somebody@example.net.

There are a bunch of URL-parsing issues floating around which may be able to come together to solve each other:

* Issue 8339: Round trip stripping empty netloc, apparently closed because the URLs were thought to be invalid (thought I disagree)
* Issue 15009: Round trip strips empty netloc for yelp:///foo
* Issue 23505: Round trip stripping netloc considered a security issue
* Issue 5843: Round trip stripping empty query and fragment strings
* Issue 22852: Round trip strips empty fragment

In Issue 22852, I proposed adding a series of has_netloc/query/fragment flags to the SplitResult etc classes. If that was implemented, we would not have to worry about whitelisting “scgi:” or other schemes in “uses_netloc”. Instead, urlsplit() would automatically set SplitResult(has_netloc=True), and urlunsplit() would know to restore the empty “//” netloc string.

History
Date	User	Action	Args
2015-03-11 02:12:44	martin.panter	set	recipients: + martin.panter, anthonyryan1
2015-03-11 02:12:44	martin.panter	set	messageid: <1426039964.72.0.489132088656.issue23636@psf.upfronthosting.co.za>
2015-03-11 02:12:44	martin.panter	link	issue23636 messages
2015-03-11 02:12:44	martin.panter	create