You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to RFC 3986 line termination characters like \n are not allowed in any part of a URI but the percent-encoded versions %0A are allowed. For other sections of the URL, such as the query and the path, ParseResult.fromString will normalize \n characters into percent-encoded characters and accept them. This is not true for the fragment section of the URI.
The Bug
Inserting any line termination character into the fragment section of the URL will result in the parsing of the fragment section being cut short.
Background
According to RFC 3986 line termination characters like
\n
are not allowed in any part of a URI but the percent-encoded versions%0A
are allowed. For other sections of the URL, such as the query and the path, ParseResult.fromString will normalize\n
characters into percent-encoded characters and accept them. This is not true for the fragment section of the URI.The Bug
Inserting any line termination character into the fragment section of the URL will result in the parsing of the fragment section being cut short.
Minimal Reproducible Example
This will print
Fragment: Fragment
In contrast Furl, Hyperlink, Urllib, and Yarl all return
Fragment: Fragment%0AThatIsIllusive
Cause
This is the regex used to parse different parts of a URI
This bug is a result of the use of
.*
in the fragment regex. The.
symbol in regex accepts every character except for line termination characters.The text was updated successfully, but these errors were encountered: