Ben Kallus
Ben Kallus
This isn't supposed to work: ```python3 import hyperlink hyperlink.URL.from_text("http://example.com:-80") ``` This patch ensures that only valid port strings are accepted. (The root cause of this is that port numbers are...
The port number in the following URL is clearly malformed, but Hyperlink does this: ```python3 >>> hyperlink.URL.from_text("http://example.com: -໑_1\v").port -11 ``` This comes from the fact that ports are parsed with...
1. RFC 9110 says that messages containing invalid Content-Length header field values MUST NOT be forwarded with the invalid header intact: > Likewise, a sender MUST NOT forward a message...
Host ']'
The following malformed URL is accepted by rfc3986: ``` B://] ``` Although the character `']'` is allowed in a host, it must be in the context of an IPv6 or...
`'.://'` should not parse. It is not an absolute URI because `'.'` is not a valid scheme, and it is not a relative URI because a `path-noscheme` cannot begin with...
### Remove leading '/' in relative paths. Addresses #2903. URLs like `a:b` should have path `b` instead of `/b`.
### '.' should be allowed in a URL's scheme From the WHATWG spec: "If [c](https://url.spec.whatwg.org/#c) is an [ASCII alphanumeric](https://infra.spec.whatwg.org/#ascii-alphanumeric), U+002B (+), U+002D (-), or U+002E (.), append [c](https://url.spec.whatwg.org/#c), [lowercased](https://infra.spec.whatwg.org/#ascii-lowercase), to...
### A leading '/' is improperly appended to relative paths URLs with relative paths such as `a:b` should have path component `b`. Instead, urllib3 assigns this URL path component `/b`.
From RFC 7230: > If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt...
I found a bug in Proxygen's HTTP parser that is usable to execute request smuggling attacks against Proxygen-based web services when they are running behind any of the following HTTP...