Skip to content

gh-142412: Add warning about urlsplit's netloc parsing and open redirects #144448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kovan wants to merge 1 commit into from
Closed

gh-142412: Add warning about urlsplit's netloc parsing and open redirects #144448

kovan wants to merge 1 commit into from
+11 −0

Conversation

@kovan
Copy link

@kovan kovan commented Feb 3, 2026
edited by github-actions bot
Loading

Summary

  • Adds a warning to the URL parsing security section explaining that urlsplit/urlparse only parse the netloc when preceded by //
  • Documents that URLs like ///example.com/path result in an empty netloc and a path of /example.com/path
  • Warns that this behavior may lead to open redirect vulnerabilities if applications rely solely on checking the netloc to validate redirect URLs

Test plan

  • make check passed in Doc/ directory
  • Documentation builds correctly

🤖 Generated with Claude Code

📚 Documentation preview 📚: https://cpython-previews--144448.org.readthedocs.build/

@kovan @claude
pythongh-142412: Add warning about urlsplit's netloc parsing and open…
c4b17db 
… redirects

Add a warning to the URL parsing security section explaining that
urlsplit/urlparse only parse the netloc when preceded by //. This
behavior can lead to open redirect vulnerabilities if applications
rely solely on checking the netloc to validate redirect URLs.

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@bedevere-app bedevere-app bot mentioned this pull request Feb 3, 2026
Open
@bedevere-app bedevere-app bot added docs Documentation in the Doc dir skip news labels Feb 3, 2026
@github-project-automation github-project-automation bot moved this to Todo in Docs PRs Feb 3, 2026
picnixz
picnixz requested changes Feb 3, 2026
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The placing of this note is incorrect and likely auto-generated. In addition, the warning is useless as we're already in a "beware of [...]" section. I would prefer addressing this after we addressed the fate of urlparse in general (and its placement) as a follow-up of #144148.

So for now, I'm closing it.

Doc/library/urllib.parse.rst
sense? Is that a sensible ``path``? Is there anything strange about that
``hostname``? etc.

.. warning::
Copy link
Member

@picnixz picnixz Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not make sense to have a warning note here. In addition, its placing interrupts the flow of the current text and is quite off-topic here.

@bedevere-app
Copy link

bedevere-app bot commented Feb 3, 2026

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@picnixz picnixz closed this Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz requested changes

Assignees

No one assigned

Labels

awaiting changes docs Documentation in the Doc dir skip news

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kovan @picnixz