From e514826eea15f2b62bbc13da407b71552ef5ff4c Mon Sep 17 00:00:00 2001
From: Jonathan Huot <jonathan.huot@gmail.com>
Date: Fri, 2 Sep 2022 23:22:17 +0200
Subject: Add check of performance of ipv6 check

---
 tests/test_uri_validate.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py
index 3489d95..1ef8b1f 100644
--- a/tests/test_uri_validate.py
+++ b/tests/test_uri_validate.py
@@ -31,3 +31,11 @@ class UriValidateTest(TestCase):
         self.assertIsNone(is_absolute_uri('wrong'))
         self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
         self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/'))
+
+    def test_recursive_regex(self):
+        from datetime import datetime
+        t0 = datetime.now()
+        self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path'))
+        t1 = datetime.now()
+        spent = t1 - t0
+        self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected")
-- 
cgit v1.2.1


From 5d85c61998692643dd9d17e05d2646e06ce391e8 Mon Sep 17 00:00:00 2001
From: Jonathan Huot <jonathan.huot@gmail.com>
Date: Tue, 6 Sep 2022 21:56:40 +0200
Subject: Fix IPV6 regex used to check redirect_uri

---
 oauthlib/uri_validate.py   |  2 +-
 tests/test_uri_validate.py | 51 ++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/oauthlib/uri_validate.py b/oauthlib/uri_validate.py
index 8a6d9c2..a6fe0fb 100644
--- a/oauthlib/uri_validate.py
+++ b/oauthlib/uri_validate.py
@@ -66,7 +66,7 @@ IPv4address = r"%(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s
 )
 
 #   IPv6address
-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
 
 #   IPvFuture     = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
 IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals()
diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py
index 1ef8b1f..6a9f8ea 100644
--- a/tests/test_uri_validate.py
+++ b/tests/test_uri_validate.py
@@ -1,4 +1,4 @@
-import oauthlib
+import unittest
 from oauthlib.uri_validate import is_absolute_uri
 
 from tests.unittest import TestCase
@@ -7,7 +7,6 @@ from tests.unittest import TestCase
 class UriValidateTest(TestCase):
 
     def test_is_absolute_uri(self):
-
         self.assertIsNotNone(is_absolute_uri('schema://example.com/path'))
         self.assertIsNotNone(is_absolute_uri('https://example.com/path'))
         self.assertIsNotNone(is_absolute_uri('https://example.com'))
@@ -17,16 +16,60 @@ class UriValidateTest(TestCase):
         self.assertIsNotNone(is_absolute_uri('http://example.com'))
         self.assertIsNotNone(is_absolute_uri('http://example.com/path'))
         self.assertIsNotNone(is_absolute_uri('http://example.com:80/path'))
-        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/'))
+
+    def test_query(self):
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana'))
+
+    def test_fragment_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana'))
+
+    def test_combined_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo'))
+
+    def test_custom_scheme(self):
+        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://'))
+
+    def test_ipv6_bracket(self):
         self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path'))
         self.assertIsNotNone(is_absolute_uri('http://[::1]/path'))
         self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path'))
         self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path'))
         self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path'))
+
+    @unittest.skip("ipv6 edge-cases not supported")
+    def test_ipv6_edge_cases(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF'))
+        self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path'))
+        self.assertIsNotNone(is_absolute_uri('http://::'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102'))
+
+    @unittest.skip("ipv6 dual ipv4 not supported")
+    def test_ipv6_dual(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8'))
+
+    def test_ipv4(self):
         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
         self.assertIsNotNone(is_absolute_uri('http://127.1:38432/'))
 
+    def test_failures(self):
         self.assertIsNone(is_absolute_uri('http://example.com:notaport/path'))
         self.assertIsNone(is_absolute_uri('wrong'))
         self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
@@ -35,7 +78,7 @@ class UriValidateTest(TestCase):
     def test_recursive_regex(self):
         from datetime import datetime
         t0 = datetime.now()
-        self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path'))
+        is_absolute_uri('http://[::::::::::::::::::::::::::]/path')
         t1 = datetime.now()
         spent = t1 - t0
         self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected")
-- 
cgit v1.2.1