[CVE-2024-9287] ensure that bracketed hosts found by urlsplit are of …

…IPv6 or IPvFuture format

Fix urlparse incorrectly retrieves IPv4 and regular name hosts from inside of brackets

Reproducer is

    python3 -c \
    'from urllib.parse import urlparse; print(urlparse("https://user:some]password[@host.com"))'

This command should fail with the error "ValueError: '@host.com'
does not appear to be an IPv4 or IPv6 address". If it doesn’t and produces

    ParseResult(scheme='https', netloc='user:some]password[@host.com',
    path='', params='', query='', fragment='')

it is this bug.

Fixes: bsc#1233307 (CVE-2024-11168)
Fixes: gh#python#103848
Co-authored-by: JohnJamesUtley <jjutley231@gmail.com>
From-PR: gh#python/cpython!103849
Patch: CVE-2024-11168-validation-IPv6-addrs.patch

Lib/ipaddress.py

@@ -1911,7 +1911,7 @@ class IPv6Address(_BaseV6, _BaseAddress):
 
     """Represent and manipulate single IPv6 Addresses."""
 
-    __slots__ = ('_ip', '__weakref__')
+    __slots__ = ('_ip', '_scope_id', '__weakref__')
 
     def __init__(self, address):
         """Instantiate a new IPv6 address object.
@@ -1934,12 +1934,14 @@ def __init__(self, address):
         if isinstance(address, int):
             self._check_int_address(address)
             self._ip = address
+            self._scope_id = None
             return
 
         # Constructing from a packed address
         if isinstance(address, bytes):
             self._check_packed_address(address, 16)
             self._ip = int.from_bytes(address, 'big')
+            self._scope_id = None
             return
 
         # Assume input argument to be string or any object representation