gh-105704: Disallow square brackets ([ and ]) in domain names for parsed URLs

[sethmlarson]

Opening this pull request in favor of #111261, as the original author appears to not be responding to reviews. This moves the error to occur during parsing instead of on the ParseResult properties.

cc @gpshead @orsenthil @pschoen-itsc as reviewers on the previous PR.

• Issue: [CVE-2025-0938] urlparse does not flag hostname *containing* [ or ] as incorrect #105704

[vstinner]

It might be helpful to add tests only with [, and tests only with ]. Such URL is also invalid, no?

[sethmlarson]

Yeah, I'll add tests with that structure too! Thanks :)

[sethmlarson]

Added in ebf92bb

[orsenthil]

LGTM.

Thank you!

[sethmlarson]

The failure in Windows free-threading looks unrelated, I can't merge without all the checks passing so if someone else can that would be appreciated 💜

[orsenthil]

Looks like that's a required to succeed.

[miss-islington-app]

Thanks @sethmlarson for the PR, and @orsenthil for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖

[bedevere-app]

GH-129526 is a backport of this pull request to the 3.13 branch.

[bedevere-app]

GH-129527 is a backport of this pull request to the 3.12 branch.

[bedevere-app]

GH-129528 is a backport of this pull request to the 3.11 branch.

[bedevere-app]

GH-129529 is a backport of this pull request to the 3.10 branch.

[bedevere-app]

GH-129530 is a backport of this pull request to the 3.9 branch.

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows11 Refleaks 3.13 has failed when building commit 90e526a.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1484/builds/398) and take a look at the build logs.
4. Check if the failure is related to this commit (90e526a) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1484/builds/398

Failed tests:

• test_threading

Failed subtests:

• test_finalize_with_trace - test.test_threading.ThreadTests.test_finalize_with_trace
• test_daemon_threads_shutdown_stdout_deadlock - test.test_io.CMiscIOTest.test_daemon_threads_shutdown_stdout_deadlock

Summary of the results of the build (if available):

==

Click to see traceback logs

Traceback (most recent call last):
  File "b:\uildarea\3.13.ware-win11.refleak\build\Lib\test\test_io.py", line 4625, in test_daemon_threads_shutdown_stdout_deadlock
    self.check_daemon_threads_shutdown_deadlock('stdout')
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "b:\uildarea\3.13.ware-win11.refleak\build\Lib\test\test_io.py", line 4618, in check_daemon_threads_shutdown_deadlock
    self.assertRegex(err, pattern)
    ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
AssertionError: Regex didn't match: "Fatal Python error: _enter_buffered_busy: could not acquire lock for <(_io\\.)?BufferedWriter name='<stdout>'> at interpreter shutdown, possibly due to daemon threads" not found in 'Windows fatal exception: access violation\n\nWindows fatal exception: access violation\n\n'


Traceback (most recent call last):
  File "b:\uildarea\3.13.ware-win11.refleak\build\Lib\test\test_threading.py", line 470, in test_finalize_with_trace
    assert_python_ok("-c", """if 1:
    ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
        import sys, threading
        ^^^^^^^^^^^^^^^^^^^^^
    ...<17 lines>...
        sys.settrace(func)
        ^^^^^^^^^^^^^^^^^^
        """)
        ^^^^
  File "b:\uildarea\3.13.ware-win11.refleak\build\Lib\test\support\script_helper.py", line 180, in assert_python_ok
    return _assert_python(True, *args, **env_vars)
  File "b:\uildarea\3.13.ware-win11.refleak\build\Lib\test\support\script_helper.py", line 165, in _assert_python
    res.fail(cmd_line)
    ~~~~~~~~^^^^^^^^^^
  File "b:\uildarea\3.13.ware-win11.refleak\build\Lib\test\support\script_helper.py", line 75, in fail
    raise AssertionError("Process return code is %d\n"
    ...<13 lines>...
                            err))
AssertionError: Process return code is 3221225477
command line: ['b:\\uildarea\\3.13.ware-win11.refleak\\build\\PCbuild\\amd64\\python_d.exe', '-X', 'faulthandler', '-I', '-c', "if 1:\n            import sys, threading\n\n            # A deadlock-killer, to prevent the\n            # testsuite to hang forever\n            def killer():\n                import os, time\n                time.sleep(2)\n                print('program blocked; aborting')\n                os._exit(2)\n            t = threading.Thread(target=killer)\n            t.daemon = True\n            t.start()\n\n            # This is the trace function\n            def func(frame, event, arg):\n                threading.current_thread()\n                return func\n\n            sys.settrace(func)\n            "]