Skip to content

Comments

Reject ambiguously parsed URLs#16622

Merged
woodruffw merged 7 commits intomainfrom
ww/url-ambiguity
Nov 12, 2025
Merged

Reject ambiguously parsed URLs#16622
woodruffw merged 7 commits intomainfrom
ww/url-ambiguity

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Nov 6, 2025

Summary

This tweaks DisplaySafeUrl to reject some ambiguous parsing cases that WHATWG and RFC 3986 otherwise consider valid. Specifically, we reject URLs where the path or fragment component looks like it contains a user:pass, indicating that the parser didn't disambiguate a userinfo section.

The most common underlying reason for this is user error: if a user manually configures something like an index URL with a username or password containing a non-escaped / or #, both RFC 3986 and WHATWG treat that as the beginning of the path/fragment rather than a part of the username/password itself.

Test Plan

I've added unit and integration tests for this. There's a nonzero chance that this snares real-world URLs out there, but I think that risk is pretty small.

@woodruffw woodruffw marked this pull request as ready for review November 6, 2025 22:21
@woodruffw woodruffw requested review from konstin and zanieb November 6, 2025 22:29
@zanieb zanieb temporarily deployed to uv-test-registries November 10, 2025 21:04 — with GitHub Actions Inactive
@woodruffw
Copy link
Member Author

woodruffw commented Nov 11, 2025

635d1f4 pushes the logic up to the DisplaySafeUrl layer, but at the cost of a new error type and some invariant preservation risks. I'll flag those in comments on the diff.

@woodruffw woodruffw temporarily deployed to uv-test-registries November 11, 2025 18:36 — with GitHub Actions Inactive
konstin added a commit that referenced this pull request Nov 11, 2025
konstin added a commit that referenced this pull request Nov 11, 2025
@woodruffw woodruffw temporarily deployed to uv-test-registries November 12, 2025 01:56 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 12, 2025 01:59 — with GitHub Actions Inactive
@konstin konstin added the enhancement New feature or improvement to existing functionality label Nov 12, 2025
Copy link
Member

@zanieb zanieb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure!

woodruffw and others added 7 commits November 12, 2025 10:44
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw enabled auto-merge (squash) November 12, 2025 15:48
@woodruffw woodruffw temporarily deployed to uv-test-registries November 12, 2025 16:02 — with GitHub Actions Inactive
@woodruffw woodruffw merged commit ae1edef into main Nov 12, 2025
336 of 339 checks passed
@woodruffw woodruffw deleted the ww/url-ambiguity branch November 12, 2025 16:27
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 14, 2025
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.8` -> `0.9.9` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.9.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#099)

[Compare Source](astral-sh/uv@0.9.8...0.9.9)

Released on 2025-11-12.

##### Deprecations

- Deprecate use of `--project` in `uv init` ([#&#8203;16674](astral-sh/uv#16674))

##### Enhancements

- Add iOS support to Python interpreter discovery ([#&#8203;16686](astral-sh/uv#16686))
- Reject ambiguously parsed URLs ([#&#8203;16622](astral-sh/uv#16622))
- Allow explicit values in `uv version --bump` ([#&#8203;16555](astral-sh/uv#16555))
- Warn on use of managed pre-release Python versions when a stable version is available ([#&#8203;16619](astral-sh/uv#16619))
- Allow signing trampolines on Windows by using `.rcdata` to store metadata ([#&#8203;15068](astral-sh/uv#15068))
- Add `--only-emit-workspace` and similar variants to `uv export` ([#&#8203;16681](astral-sh/uv#16681))

##### Preview features

- Add `uv workspace dir` command ([#&#8203;16678](astral-sh/uv#16678))
- Add `uv workspace metadata` command ([#&#8203;16516](astral-sh/uv#16516))

##### Configuration

- Add `UV_NO_DEFAULT_GROUPS` environment variable ([#&#8203;16645](astral-sh/uv#16645))

##### Bug fixes

- Remove `torch-model-archiver` and `torch-tb-profiler` from PyTorch backend ([#&#8203;16655](astral-sh/uv#16655))
- Fix Pixi environment detection ([#&#8203;16585](astral-sh/uv#16585))

##### Documentation

- Fix `CMD` path in FastAPI Dockerfile ([#&#8203;16701](astral-sh/uv#16701))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@matthuisman
Copy link

I believe this change has broken local editable installs that contain @ in their directory
#16756

konstin added a commit that referenced this pull request Nov 17, 2025
Fixes #16756
Follow-up for #16622

I noticed that rustfmt couldn't handle the check, so I moved the code
around in the first two commits.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or improvement to existing functionality

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants