gh-137146: Validate IPv6 ZoneID characters against RFC 6874 in urllib.parse

[mauricelambert]

This PR tightens the validation of IPv6 Zone Identifiers (ZoneIDs) in bracketed hostnames handled by urllib.parse (#137146).

Problem

Currently, urllib.parse accepts any non-null string as a ZoneID, because it delegates IPv6 parsing to the ipaddress module, which follows RFC 4007. However, RFC 6874 §2.1 defines a stricter character set for ZoneIDs when used in URLs:

Characters allowed in ZoneIDs (after percent-decoding):
ALPHA / DIGIT / "-" / "." / "_" / "~"

ZoneIDs in URIs must be percent-encoded and may optionally begin with a literal % (e.g., %25) as described in the RFC.

Fix

This patch adds an explicit validation step to check that any ZoneID in a URL conforms to the allowed character set.

Before the fix:

>>> import urllib.parse
>>> urllib.parse.urlparse("http://[fe80::1%zone|bad]/")
ParseResult(scheme='http', netloc='[fe80::1%zone|bad]', path='/', ...)

After the fix:

>>> urllib.parse.urlparse("http://[fe80::1%zone|bad]/")
ValueError: IPv6 ZoneID is invalid

Notes

• This does not affect parsing of valid IPv6 addresses or ZoneIDs that comply with RFC 6874.
• The new check is only triggered if a % is present in the hostname (i.e., it's a ZoneID).

This improves RFC compliance, reduces risk of incorrect or insecure behavior, and ensures more predictable URL parsing.

• Issue: urllib.parse accepts invalid characters in IPv6 ZoneIDs and IPvFuture addresses #137146

[StanFromIreland]

In the future, please use the title format I have edited your title too, as so that our automation can recognise it.

[StanFromIreland]

This needs a blurb entry.

[ZeroIntensity]

Please add a test case.

[ZeroIntensity]

This is reStructuredText, not Markdown, so references look like this:

Suggested change

	Validate IPv6 ZoneID characters in bracketed hostnames to match RFC 6874. `urllib.parse` now rejects ZoneIDs containing invalid or unsafe characters.
	Validate IPv6 ZoneID characters in bracketed hostnames to match RFC 6874. :mod:`urllib.parse` now rejects ZoneIDs containing invalid or unsafe characters.

[picnixz]

urllib.parse is a module, if you want to talk about the function it's urllib.parse.urlparse. I've edited Zero's answer by changing the role as I didn't check which functions are affected (if it's the entire module, it's fine to only quote the module)

[ZeroIntensity]

Oops, thanks.

[mauricelambert]

I corrected the blurb and added the tests, thank you for your help.

[picnixz]

Why are we using \A and \z instead of fullmatch? In addition, we should instead use a compiled regex.

[mauricelambert]

Thanks for the review, it's done.

[picnixz]

The f-string is not necessary (you can also remove it from the other raise ValueError).

[mauricelambert]

Thanks for the review, it's done.

[picnixz]

Can't this actually be delegated to ipadress.ip_address instead?

[mauricelambert]

Thanks @picnixz for your review. I explain it in the description.
ipadress.ip_address uses RFC 4007 because it may implement ZoneID in the IPv6 string representation. In URLs, there are special and not allowed characters. RFC 4007 defines a good string representation, but it is not very suitable for URL format and parsing. So there is another RFC that defines how ZoneID may be written in URL: RFC 6874.
ipadress.ip_address follows RFC 4007 to parse the IPv6 format and urllib should parse the ZoneID as defined by the URL format. So these are two different representations and two different implementations. We can't use ipadress.ip_address if we want to respect the URL format and parsing rules.