[PATCH] urllib.parse: Restrict IPvFuture regex to RFC 3986-valid characters

mauricelambert · web-flow · commit fb02be2d0fdf · 2025-07-27T14:45:38.000Z
IPvFuture hostnames in URLs were being matched using a too-permissive regex
(`.+`), which allowed invalid characters not defined by RFC 3986.
This patch updates the pattern to only accept characters explicitly allowed
by the RFC for IPvFuture addresses.

According to RFC 3986 §3.2.2, the format of IPvFuture is:

  "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )

Where:
  - unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
  - sub-delims = "!" / "$" / "&amp;" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="

Before the fix:

&gt;&gt;&gt; import urllib.parse
&gt;&gt;&gt; urllib.parse.urlparse("http://[v45.test|test]/path")
ParseResult(scheme='http', netloc='[v45.test|test]', path='/path', ...)

Invalid characters such as `|` were incorrectly accepted.

After the fix:

&gt;&gt;&gt; import urllib.parse
&gt;&gt;&gt; urllib.parse.urlparse("http://[v45.test|test]/path")
Traceback (most recent call last):
    ...
ValueError: IPvFuture address is invalid

This improves standards compliance and prevents malformed URLs from being
silently accepted.
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
@@ -460,7 +460,7 @@ def _check_bracketed_netloc(netloc):
 # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
 def _check_bracketed_host(hostname):
     if hostname.startswith('v'):
-        if not re.match(r"\Av[a-fA-F0-9]+\..+\z", hostname):
+        if not re.match(r"\Av[a-fA-F0-9]+\.[\w\.~!$&*+,;=:'()-]+\z", hostname):
             raise ValueError(f"IPvFuture address is invalid")
     else:
         ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
