Skip to content

Comments

Reject ambiguously parsed URLs#16622

Merged
woodruffw merged 7 commits intomainfrom
ww/url-ambiguity
Nov 12, 2025
Merged

Reject ambiguously parsed URLs#16622
woodruffw merged 7 commits intomainfrom
ww/url-ambiguity

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Nov 6, 2025
edited
Loading

Summary

This tweaks DisplaySafeUrl to reject some ambiguous parsing cases that WHATWG and RFC 3986 otherwise consider valid. Specifically, we reject URLs where the path or fragment component looks like it contains a user:pass, indicating that the parser didn't disambiguate a userinfo section.

The most common underlying reason for this is user error: if a user manually configures something like an index URL with a username or password containing a non-escaped / or #, both RFC 3986 and WHATWG treat that as the beginning of the path/fragment rather than a part of the username/password itself.

Test Plan

I've added unit and integration tests for this. There's a nonzero chance that this snares real-world URLs out there, but I think that risk is pretty small.

@woodruffw woodruffw self-assigned this Nov 6, 2025
@woodruffw woodruffw temporarily deployed to uv-test-registries November 6, 2025 21:45 — with GitHub Actions Inactive
@woodruffw woodruffw mentioned this pull request Nov 6, 2025
Open
@woodruffw woodruffw temporarily deployed to uv-test-registries November 6, 2025 21:58 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 6, 2025 22:04 — with GitHub Actions Inactive
woodruffw
woodruffw commented Nov 6, 2025
View reviewed changes
@woodruffw woodruffw marked this pull request as ready for review November 6, 2025 22:21
@woodruffw woodruffw requested review from konstin and zanieb November 6, 2025 22:29
woodruffw
woodruffw commented Nov 6, 2025
View reviewed changes
@woodruffw woodruffw temporarily deployed to uv-test-registries November 7, 2025 15:13 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 10, 2025 20:41 — with GitHub Actions Inactive
zanieb
zanieb reviewed Nov 10, 2025
View reviewed changes
konstin
konstin reviewed Nov 10, 2025
View reviewed changes
@zanieb zanieb temporarily deployed to uv-test-registries November 10, 2025 21:04 — with GitHub Actions Inactive
@woodruffw
Copy link
Member Author

woodruffw commented Nov 11, 2025
edited
Loading

635d1f4 pushes the logic up to the DisplaySafeUrl layer, but at the cost of a new error type and some invariant preservation risks. I'll flag those in comments on the diff.

@woodruffw woodruffw temporarily deployed to uv-test-registries November 11, 2025 17:30 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 11, 2025 17:49 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 11, 2025 18:17 — with GitHub Actions Inactive
woodruffw
woodruffw commented Nov 11, 2025
View reviewed changes
@woodruffw woodruffw temporarily deployed to uv-test-registries November 11, 2025 18:36 — with GitHub Actions Inactive
konstin added a commit that referenced this pull request Nov 11, 2025
@konstin
Remove unnecessary DisplaySafeUrl::from
65d1441 
For #16622
@konstin konstin mentioned this pull request Nov 11, 2025
Merged
konstin added a commit that referenced this pull request Nov 11, 2025
@konstin
Remove unnecessary DisplaySafeUrl::from (#16689)
92c2bfc 
For #16622
@woodruffw woodruffw temporarily deployed to uv-test-registries November 12, 2025 01:56 — with GitHub Actions Inactive
@woodruffw woodruffw temporarily deployed to uv-test-registries November 12, 2025 01:59 — with GitHub Actions Inactive
@konstin konstin added the enhancement New feature or improvement to existing functionality label Nov 12, 2025
zanieb
zanieb approved these changes Nov 12, 2025
View reviewed changes
Copy link
Member

@zanieb zanieb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure!

woodruffw and others added 7 commits November 12, 2025 10:44
@woodruffw
Reject ambiguously parsed URLs
1b08216 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
clippy fixes
c31a9ab 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
fix a return type
a887e66 
Signed-off-by: William Woodruff <[email protected]>
@zanieb @woodruffw
Review
5eb4e0b
@woodruffw
move ambiguous URL check to DisplaySafeUrl
160a244 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
remove From impl for DisplaySafeUrl
eb94855 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
remove a TODO
be08342 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw enabled auto-merge (squash) November 12, 2025 15:48
@woodruffw woodruffw temporarily deployed to uv-test-registries November 12, 2025 16:02 — with GitHub Actions Inactive
@woodruffw woodruffw merged commit ae1edef into main Nov 12, 2025
336 of 339 checks passed
@woodruffw woodruffw deleted the ww/url-ambiguity branch November 12, 2025 16:27
@BrewTestBot BrewTestBot mentioned this pull request Nov 12, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 14, 2025
@tmeijn
build(deps): update astral-sh/uv to v0.9.9
46cdc3a 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.8` -> `0.9.9` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.9.9`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#099)

[Compare Source](astral-sh/uv@0.9.8...0.9.9)

Released on 2025-11-12.

##### Deprecations

- Deprecate use of `--project` in `uv init` ([#&#8203;16674](astral-sh/uv#16674))

##### Enhancements

- Add iOS support to Python interpreter discovery ([#&#8203;16686](astral-sh/uv#16686))
- Reject ambiguously parsed URLs ([#&#8203;16622](astral-sh/uv#16622))
- Allow explicit values in `uv version --bump` ([#&#8203;16555](astral-sh/uv#16555))
- Warn on use of managed pre-release Python versions when a stable version is available ([#&#8203;16619](astral-sh/uv#16619))
- Allow signing trampolines on Windows by using `.rcdata` to store metadata ([#&#8203;15068](astral-sh/uv#15068))
- Add `--only-emit-workspace` and similar variants to `uv export` ([#&#8203;16681](astral-sh/uv#16681))

##### Preview features

- Add `uv workspace dir` command ([#&#8203;16678](astral-sh/uv#16678))
- Add `uv workspace metadata` command ([#&#8203;16516](astral-sh/uv#16516))

##### Configuration

- Add `UV_NO_DEFAULT_GROUPS` environment variable ([#&#8203;16645](astral-sh/uv#16645))

##### Bug fixes

- Remove `torch-model-archiver` and `torch-tb-profiler` from PyTorch backend ([#&#8203;16655](astral-sh/uv#16655))
- Fix Pixi environment detection ([#&#8203;16585](astral-sh/uv#16585))

##### Documentation

- Fix `CMD` path in FastAPI Dockerfile ([#&#8203;16701](astral-sh/uv#16701))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@matthuisman matthuisman mentioned this pull request Nov 17, 2025
Closed
@matthuisman
Copy link

matthuisman commented Nov 17, 2025

I believe this change has broken local editable installs that contain @ in their directory
#16756

@konstin konstin mentioned this pull request Nov 17, 2025
Merged
konstin added a commit that referenced this pull request Nov 17, 2025
@konstin
Don't check file URLs for ambiguously parsed URLs (#16759)
2d75aca 
Fixes #16756
Follow-up for #16622

I noticed that rustfmt couldn't handle the check, so I moved the code
around in the first two commits.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@konstin konstin konstin left review comments

@zanieb zanieb zanieb approved these changes

@charliermarsh charliermarsh Awaiting requested review from charliermarsh

Assignees

@woodruffw woodruffw

Labels

enhancement New feature or improvement to existing functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@woodruffw @matthuisman @zanieb @konstin