Background

RFC 3986 (spec for URIs) defines a valid port string with the following grammar rule:

• port = *DIGIT

Here's the WHATWG URL spec definition:
"""
A URL-port string must be one of the following:

• the empty string
• one or more ASCII digits representing a decimal number no greater than $2^{16} − 1$.

"""¹

The bug

This is the port string parsing code from Lib/urllib/parse.py:166-176:

def port(self): port = self._hostinfo[1] if port is not None: try: port = int(port, 10) except ValueError: message = f'Port could not be cast to integer value as {port!r}' raise ValueError(message) from None if not ( 0 <= port <= 65535): raise ValueError("Port out of range 0-65535") return port

This will erroneously validate strings "-0" and f"+{x}" for any value of x in the valid range. Given that + and - are not digits, this behavior is in violation of both specifications.

This bug is easily reproducible with the following snippet:

from urllib.parse import urlparse url1 = urlparse("http://python.org:-0") url2 = urlparse("http://python.org:+80") print(url1.port) # prints 0, but error is expected print(url2.port) # prints 80, but error is expected

Happy to submit a PR, but don't want to step on any toes over at #25774.

My environment

• CPython version tested on:
  • 3.10.6
• Operating system and architecture:
  • Arch Linux x86_64