Reject URLs with text before bracket in host (#1654)

rodrigobnogueira · web-flow · commit 3ca1a904e89d · 2026-04-13T00:12:07.000+01:00
diff --git a/CHANGES/1654.bugfix.rst b/CHANGES/1654.bugfix.rst
@@ -0,0 +1,4 @@
+Fixed a parsing issue where URLs containing text before an opening bracket
+in the host component (e.g. ``http://127.0.0.1[aa::ff]``) were silently accepted
+instead of being rejected as strictly invalid per RFC 3986
+-- by :user:`rodrigobnogueira`.
diff --git a/tests/test_url.py b/tests/test_url.py
@@ -344,13 +344,11 @@ def test_ipv6_missing_right_bracket() -> None:
         "http://[]/",
         "http://[1]/",
         "http://[127.0.0.1]/",
-        "http://]1dec:0:0:0::1[/",
     ),
     ids=(
         "empty-IPv6-like-URL",
         "no-colons-in-IPv6",
         "IPv4-inside-brackets",
-        "brackets-in-reversed-order",
     ),
 )
 def test_ipv6_invalid_url(url: str) -> None:
@@ -360,6 +358,33 @@ def test_ipv6_invalid_url(url: str) -> None:
         URL(url)
 
 
+def test_ipv6_brackets_in_reversed_order() -> None:
+    with pytest.raises(ValueError, match="Invalid IPv6 URL"):
+        URL("http://]1dec:0:0:0::1[/")
+
+
+@pytest.mark.parametrize(
+    "url",
+    (
+        "http://127.0.0.1[aa::ff]",
+        "http://127.0.0.1[aa::ff]/",
+        "http://127.0.0.1[aa::ff]:8080/",
+        "http://user@127.0.0.1[aa::ff]/",
+        "http://example.com[::1]/",
+    ),
+    ids=(
+        "ipv4-before-bracket",
+        "ipv4-before-bracket-with-path",
+        "ipv4-before-bracket-with-port",
+        "userinfo-ipv4-before-bracket",
+        "hostname-before-bracket",
+    ),
+)
+def test_host_with_text_before_bracket_is_invalid(url: str) -> None:
+    with pytest.raises(ValueError, match="Invalid IPv6 URL"):
+        URL(url)
+
+
 def test_ipfuture_brackets_not_allowed() -> None:
     with pytest.raises(ValueError, match="IPvFuture address is invalid"):
         URL("http://[v10]/")
diff --git a/yarl/_parse.py b/yarl/_parse.py
@@ -64,6 +64,12 @@ def split_url(url: str) -> SplitURLType:
         ):
             raise ValueError("Invalid IPv6 URL")
         if has_left_bracket:
+            # Per RFC 3986, brackets are only valid at the START of the host
+            # for IP-literal addresses. Text before '[' (e.g. '127.0.0.1[::1]')
+            # is invalid and must be rejected to prevent SSRF bypasses.
+            hostinfo = netloc.rpartition("@")[2]
+            if hostinfo[0] != "[":
+                raise ValueError("Invalid IPv6 URL")
             bracketed_host = netloc.partition("[")[2].partition("]")[0]
             # Valid bracketed hosts are defined in
             # https://www.rfc-editor.org/rfc/rfc3986#page-49
