Merge pull request from GHSA-q2q7-5pp4-w6pg

author: Seth Michael Larson <sethmichaellarson@gmail.com> 2021-05-26 10:43:12 -0500
committer: GitHub <noreply@github.com> 2021-05-26 10:43:12 -0500
commit: e854354f575615a332c15f833d445b84648bc46e (patch)
tree: 5976a39629c8901a6dd3aba42ff76689ab56af0b /test
parent: 97a16d74f287ce84dcb14aa90bf28c9088579257 (diff)
download: urllib3-e854354f575615a332c15f833d445b84648bc46e.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/test/test_util.py b/test/test_util.py
index cd44c426..70c0f633 100644
--- a/test/test_util.py
+++ b/test/test_util.py
@@ -423,6 +423,16 @@ class TestUtil:
                 fragment="hash",
             ),
         ),
+        # Tons of '@' causing backtracking
+        ("https://" + ("@" * 10000) + "[", False),
+        (
+            "https://user:" + ("@" * 10000) + "example.com",
+            Url(
+                scheme="https",
+                auth="user:" + ("%40" * 9999),
+                host="example.com",
+            ),
+        ),
     ]
 
     @pytest.mark.parametrize("url, expected_url", url_vulnerabilities)
author	Seth Michael Larson <sethmichaellarson@gmail.com>	2021-05-26 10:43:12 -0500
committer	GitHub <noreply@github.com>	2021-05-26 10:43:12 -0500
commit	e854354f575615a332c15f833d445b84648bc46e (patch)
tree	5976a39629c8901a6dd3aba42ff76689ab56af0b /test
parent	97a16d74f287ce84dcb14aa90bf28c9088579257 (diff)
download	urllib3-e854354f575615a332c15f833d445b84648bc46e.tar.gz