Skip to content

gh-142412: Document urlsplit netloc limitations for redirect validation#151621

Open
zainnadeem786 wants to merge 1 commit into
python:mainfrom
zainnadeem786:gh-142412-urlsplit-warning
Open

gh-142412: Document urlsplit netloc limitations for redirect validation#151621
zainnadeem786 wants to merge 1 commit into
python:mainfrom
zainnadeem786:gh-142412-urlsplit-warning

Conversation

@zainnadeem786

@zainnadeem786 zainnadeem786 commented Jun 18, 2026
edited by bedevere-app Bot
Loading

Copy link
Copy Markdown

Summary

Adds documentation clarifying that urllib.parse.urlsplit() and
urllib.parse.urlparse() should not be relied on solely for validating
redirect targets using the netloc component.

Certain URL forms may produce an empty netloc value while being interpreted
differently by user agents such as web browsers. This can lead to incorrect
assumptions when applications use netloc checks to prevent open redirects.

Changes

  • Added security documentation explaining the limitation of netloc checks.
  • Included an example showing how urlsplit() handles URLs with multiple
    leading slashes.
  • Clarified that applications handling redirects should perform validation
    appropriate for their security requirements.

Issue

Fixes #142412

Notes

This is a follow-up to #144448, incorporating the review feedback by placing
the guidance within the existing "URL parsing security" section rather than
adding a separate warning block.

Testing

  • Documentation change only.
  • Verified the documentation formatting locally.

@bedevere-app bedevere-app Bot added docs Documentation in the Doc dir skip news labels Jun 18, 2026
@github-project-automation github-project-automation Bot moved this to Todo in Docs PRs Jun 18, 2026
@bedevere-app bedevere-app Bot mentioned this pull request Jun 18, 2026
Open
@read-the-docs-community

read-the-docs-community Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Documentation build overview

📚 cpython-previews | 🛠️ Build #33194509 | 📁 Comparing 8a55f3d against main (8d7c6dc)

  🔍 Preview build  

1 file changed
± library/urllib.parse.html

@zainnadeem786 zainnadeem786 force-pushed the gh-142412-urlsplit-warning branch from f86695c to 8a55f3d Compare June 18, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willingc willingc Awaiting requested review from willingc

@AA-Turner AA-Turner Awaiting requested review from AA-Turner

Assignees

No one assigned

Labels

awaiting review docs Documentation in the Doc dir skip news

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Warn about urlsplit()'s netloc not being suitable for open redirect checking

1 participant

@zainnadeem786