gh-78809: Fix urlopen crash using credentials in URL by mauricelambert · Pull Request #140919 · python/cpython
This PR addresses a bug in urllib.request.urlopen where the host field would incorrectly include credentials (e.g., user:password@host). This causes errors when attempting to make requests, such as:
To fix this issue, I've added a call to urllib.parse._splituser which ensures that the host field only contains the hostname, without any user information.
>>> from urllib.request import urlopen >>> urlopen("http://test:test@example.com/") Traceback (most recent call last): File "/usr/lib/python3.10/http/client.py", line 890, in _get_hostport port = int(host[i+1:]) ValueError: invalid literal for int() with base 10: 'test@example.com' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.10/urllib/request.py", line 216, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python3.10/urllib/request.py", line 519, in open response = self._open(req, data) File "/usr/lib/python3.10/urllib/request.py", line 536, in _open result = self._call_chain(self.handle_open, protocol, protocol + File "/usr/lib/python3.10/urllib/request.py", line 496, in _call_chain result = func(*args) File "/usr/lib/python3.10/urllib/request.py", line 1377, in http_open return self.do_open(http.client.HTTPConnection, req) File "/usr/lib/python3.10/urllib/request.py", line 1317, in do_open h = http_class(host, timeout=req.timeout, **http_conn_args) File "/usr/lib/python3.10/http/client.py", line 852, in __init__ (self.host, self.port) = self._get_hostport(host, port) File "/usr/lib/python3.10/http/client.py", line 895, in _get_hostport raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) http.client.InvalidURL: nonnumeric port: 'test@example.com' >>> urlopen("http://test:test@example.com:80/") Traceback (most recent call last): File "/usr/lib/python3.10/urllib/request.py", line 1348, in do_open h.request(req.get_method(), req.selector, req.data, headers, File "/usr/lib/python3.10/http/client.py", line 1283, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.10/http/client.py", line 1329, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output self.send(msg) File "/usr/lib/python3.10/http/client.py", line 976, in send self.connect() File "/usr/lib/python3.10/http/client.py", line 942, in connect self.sock = self._create_connection( File "/usr/lib/python3.10/socket.py", line 824, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): File "/usr/lib/python3.10/socket.py", line 955, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags): socket.gaierror: [Errno -2] Name or service not known During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.10/urllib/request.py", line 216, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python3.10/urllib/request.py", line 519, in open response = self._open(req, data) File "/usr/lib/python3.10/urllib/request.py", line 536, in _open result = self._call_chain(self.handle_open, protocol, protocol + File "/usr/lib/python3.10/urllib/request.py", line 496, in _call_chain result = func(*args) File "/usr/lib/python3.10/urllib/request.py", line 1377, in http_open return self.do_open(http.client.HTTPConnection, req) File "/usr/lib/python3.10/urllib/request.py", line 1351, in do_open raise URLError(err) urllib.error.URLError: <urlopen error [Errno -2] Name or service not known> >>>
>>> from urllib.request import Request >>> Request("http://test:test@example.com/").host 'example.com' >>>
This ensures that req.host is clean, without any credentials.