You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue #5775 notes that IPv6 Zone Identifiers are not parsed correctly when the Zone ID is itself a valid percent-encoded character from the UNRESERVED_SET. That issue was incorrectly closed as a duplicate of #5126, in fact #5126 is to do with a different, resolved, bug in urllib. This ticket here is a duplicate of #5775 but commenting on that ticket is now locked.
IPv6 addresses can have the form fe80::1:2:3:4%zone where zone is any alphanumeric sequence and is platform-dependent. In order to address their use in URLs, where the %zone could be interpreted as a percent-escaped character, RFC6874 requires the % to be replaced with its own percent-escaped representation %25, e.g. http://[fe80::1:2:3:4%25zone.
In requests, this is not enough to protect the Zone ID in the URL, if the zone is a valid percent-escaped character from the UNRESERVED_SET. Specifically, url.py::_normalize_host removes the RFC6874 sequence and replaces it with a simple %, then the round trip through quote/unquote_reserved in utils.py::requote_uri called from PreparedRequest::prepare_url transforms the Zone ID in to the percent-escaped character anyway.
Note that doubly escaping the percent works, but the URL is then neither intuitive nor RFC-compliant.
i.e. the 61 scope specifier, escaped with %25 as per RFC6874, gets incorrectly transformed in to the letter a. Since the above note, the help output is unchanged except requests.version == 2.28.2 and urllib3.version == 1.26.15
Any update on this issue? I'm also seeing an issue when using iDRAC IPv6 link local address to make Redfish calls using requests module, returns 400 status code. If i use iDRAC IPv6 address to make the same Redfish call no issues. Also i can use iDRAC link local address to make the same Redfish call using curl command no issues. Issue only exists when using requests module.
Issue #5775 notes that IPv6 Zone Identifiers are not parsed correctly when the Zone ID is itself a valid percent-encoded character from the
UNRESERVED_SET
. That issue was incorrectly closed as a duplicate of #5126, in fact #5126 is to do with a different, resolved, bug in urllib. This ticket here is a duplicate of #5775 but commenting on that ticket is now locked.IPv6 addresses can have the form
fe80::1:2:3:4%zone
wherezone
is any alphanumeric sequence and is platform-dependent. In order to address their use in URLs, where the%zone
could be interpreted as a percent-escaped character, RFC6874 requires the%
to be replaced with its own percent-escaped representation%25
, e.g.http://[fe80::1:2:3:4%25zone
.In
requests
, this is not enough to protect the Zone ID in the URL, if the zone is a valid percent-escaped character from theUNRESERVED_SET
. Specifically,url.py::_normalize_host
removes the RFC6874 sequence and replaces it with a simple%
, then the round trip throughquote/unquote_reserved
inutils.py::requote_uri
called fromPreparedRequest::prepare_url
transforms the Zone ID in to the percent-escaped character anyway.Note that doubly escaping the percent works, but the URL is then neither intuitive nor RFC-compliant.
Expected Result
Actual Result
System Information
The text was updated successfully, but these errors were encountered: