This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author steven.daprano
Recipients christian.heimes, martin.panter, nsonaniya2010, orsenthil, steven.daprano, xtreak
Date 2019-01-19.08:50:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In-reply-to <>
> The “urllib.parse” module generally follows RFC 3986, which does not 
> allow a literal backslash in the “userinfo” part:

And yet the parse() function seems to allow arbitrary unescaped 
characters. This is from 3.8.0a0:

py> from urllib.parse import urlparse
py> urlparse(r'http://spam\eggs!cheese&').netloc
py> urlparse(r'http://spam\eggs!cheese&').hostname

If that's a bug, it is a separate bug to this issue.

Backslash doesn't seem relevant to the security issue of userinfo being 
used to mislead:

py> urlparse('').netloc
py> urlparse('').hostname

If it is relevant, can somebody explain to me how?
Date User Action Args
2019-01-19 08:50:41steven.dapranosetrecipients: + steven.daprano, orsenthil, christian.heimes, martin.panter, xtreak, nsonaniya2010
2019-01-19 08:50:39steven.dapranolinkissue35748 messages
2019-01-19 08:50:39steven.dapranocreate