Detect non-URLs from forbidden ASCII characters in naive url detector

See qutebrowser#5038.
GanniAkash · Oct 2, 2019 · 5008b3b · 5008b3b
1 parent 949eeee
commit 5008b3b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/qutebrowser/utils/urlutils.py b/qutebrowser/utils/urlutils.py
@@ -147,7 +147,9 @@ def _is_url_naive(urlstr):
         return False
 
     host = url.host()
-    return '.' in host and not host.endswith('.')
+    tld = r'\.([^.0-9_-]+|xn--[a-z0-9-]+)$'
+    forbidden = r'[\u0000-\u002c\u002f-\u002f\u003a-\u0060\u007b-\u00b6]'
+    return bool(re.search(tld, host) and not re.search(forbidden, host))
 
 
 def _is_url_dns(urlstr):

diff --git a/tests/unit/utils/test_urlutils.py b/tests/unit/utils/test_urlutils.py
@@ -338,6 +338,10 @@ def test_get_search_url_invalid(url):
     (True, True, True, 'qutebrowser.org'),
     (True, True, True, ' qutebrowser.org '),
     (True, True, False, 'http://user:password@example.com/foo?bar=baz#fish'),
+    (True, True, True, 'existing-tld.domains'),
+    # Internationalized domain names
+    (True, True, True, '\u4E2D\u56FD.\u4E2D\u56FD'),  # Chinese TLD
+    (True, True, True, 'xn--fiqs8s.xn--fiqs8s'),  # The same in punycode
     # IPs
     (True, True, False, '127.0.0.1'),
     (True, True, False, '::1'),
@@ -367,6 +371,8 @@ def test_get_search_url_invalid(url):
     (False, True, True, 'deadbeef'),
     (False, True, True, 'hello.'),
     (False, True, False, 'site:cookies.com oatmeal raisin'),
+    (False, True, True, 'example.search_string'),
+    (False, True, True, 'example_search.string'),
     # no DNS because there is no host
     (False, True, False, 'foo::bar'),
     # Valid search term with autosearch