From 7313bf4f204bdef01f797199ec929ebf751cffba Mon Sep 17 00:00:00 2001
From: jpic <jpic@yourlabs.org>
Date: Mon, 22 Jul 2019 00:24:30 +0200
Subject: [PATCH] bpo-36338: Reject hostname with [ at position > 0

Before:

    >>> urlparse('http://good.com[malicious.com]/aoeu').hostname
    'malicious.com'

After:

    >>> urlparse('http://good.com[malicious.com]/aoeu')
    ValueError: Invalid IPv6 URL
---
 Lib/test/test_urlparse.py                           | 13 +++++++++++++
 Lib/urllib/parse.py                                 |  3 ++-
 .../2019-07-22-13-33-37.bpo-36338.MJll68.rst        |  1 +
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Security/2019-07-22-13-33-37.bpo-36338.MJll68.rst

diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 4ae6ed33858ce2..edeebf0de63842 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -531,6 +531,19 @@ def test_urlsplit_scoped_IPv6(self):
         self.assertEqual(p.hostname, b"fe80::822a:a8ff:fe49:470c%tESt")
         self.assertEqual(p.netloc, b'[FE80::822a:a8ff:fe49:470c%tESt]:1234')
 
+    def test_urlsplit_prevents_hostname_injection(self):
+        cases = [
+            # bpo-36338: Ensure that [ is at position 0 of hostname
+            'http://good.com[bad.com]',
+            b'http://good.com[bad.com]',
+        ]
+        for case in cases:
+            with self.assertRaises(ValueError, msg=case):
+                urllib.parse.urlsplit(case)
+
+            with self.assertRaises(ValueError, msg=case):
+                urllib.parse.urlparse(case)
+
     def test_urlsplit_attributes(self):
         url = "HTTP://WWW.PYTHON.ORG/doc/#frag"
         p = urllib.parse.urlsplit(url)
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index b6608783a89471..87dc05dced1942 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -436,7 +436,8 @@ def urlsplit(url, scheme='', allow_fragments=True):
             if url[:2] == '//':
                 netloc, url = _splitnetloc(url, 2)
                 if (('[' in netloc and ']' not in netloc) or
-                        (']' in netloc and '[' not in netloc)):
+                        (']' in netloc and '[' not in netloc) or
+                        ('[' in netloc and netloc.index('[') != 0)):
                     raise ValueError("Invalid IPv6 URL")
             if allow_fragments and '#' in url:
                 url, fragment = url.split('#', 1)
diff --git a/Misc/NEWS.d/next/Security/2019-07-22-13-33-37.bpo-36338.MJll68.rst b/Misc/NEWS.d/next/Security/2019-07-22-13-33-37.bpo-36338.MJll68.rst
new file mode 100644
index 00000000000000..c18e17254b3e9c
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-07-22-13-33-37.bpo-36338.MJll68.rst
@@ -0,0 +1 @@
+Raise ValueError when parsing hostname with ``[`` in position > 0, e.g. ``good.com[malicious.com]``, that would otherwise return a hostname of ``malicious.com``.