Chris's Wiki :: blog/python/UrllibParsePartialURLs

A semi-surprise with Python's urllib.parse and partial URLs

July 8, 2021

One of the nice things about urllib.parse (and its Python 2 equivalent) is that it will deal with partial URLs as well as full URLs. This is convenient because there are various situations in a web server context where you may get either partial URLs or full URLs, and you'd like to decode both of them in order to extract various pieces of information (primarily the path, since that's all you can reliably count on being present in a partial URL). However, URLs are tricky things once you peek under the hood; see, for example, URLs: It's complicated.... A proper URL parser needs to deal with that full complexity, and that means that it hides a surprise about how relative URLs will be interpreted.

Suppose, for example, that you're parsing an Apache REQUEST_URI to extract the request's path. You have to actually parse the request's URI to get this, because funny people can send you full URLs in HTTP GET requests, which Apache will pass through to you. Now suppose someone accidentally creates a URL for a web page of yours that looks like 'https://example.org//your/page/url' (with two slashes after the host instead of one) and visits it, and you attempt to decode the result of what Apache will hand you:

>>> urllib.parse.urlparse("//your/page/url")
ParseResult(scheme='', netloc='your', path='/page/url', params='', query='', fragment='')

The problem here is that '//ahost.org/some/path' is a perfectly legal protocol-relative URL, so that's what urllib.parse will produce when you give it something that looks like one, which is to say something that starts with '//'. Because we know where it came from, you and I know that this is a relative URL with an extra / at the front, but urlparse() can't make that assumption and there's no way to limit its standard-compliant generality.

If this is an issue for you (as it was for me recently), probably the best thing you can do is check for a leading '//' before you call urlparse() and turn it into just '/' (the simple way is to just strip off the first character in the string). Doing anything more complicated feels like it's too close to trying to actually understand URLs, which is the very job we want to delegate to urlparse() because it's complicated.

PS: Because I tested it just now, the result of giving urlparse() a relative URL that starts with three or more slashes is that it's interpreted as a relative URL, not a protocol-relative URL. The path of the result will have the extra leading slashes stripped off.

Comments on this page:

By Aristotle Pagaltzis at 2021-07-10 20:18:02:

The result of giving urlparse() a relative URL that starts with three or more slashes is that it's interpreted as a relative URL, not a protocol-relative URL. The path of the result will have the extra leading slashes stripped off.

This sounds like you think something different happens from what I found, which is that if you pass a string beginning with two or more slashes, the first two slashes are always taken to mean it’s a protocol-relative URL and are consumed, while the remaining slashes are left in the path part. So '////foo' yields a ParseResult with path='///foo' and everything else set to ''. That’s why three slashes result in a path with a single slash.

This suggests that if you have what you know to be a partial URL, and it starts with two or more slashes, then you should prepend two more to it yourself before passing it to urllib, so that what you get reflects what you would have gotten back if you had a way to explicitly tell urllib that your URL is partial.

Written on 08 July 2021.

«	The initramfs for old kernels can hide old versions of things

Redirecting paths that start with two slashes in Apache