Restrict URL userinfo to NWG RFC 3986

src/marshmallow/validate.py

@@ -131,9 +131,9 @@ def _regex_generator(
                     # this is validated separately against allowed schemes, so in the regex
                     # we simply want to capture its existence
                     r"(?:[a-z0-9\.\-\+]*)://",
-                    # basic_auth, for URLs encoding a username:password
+                    # userinfo, for URLs encoding authentication
                     # e.g. 'ftp://foo:[email protected]/'
-                    r"(?:[^:@]+?(:[^:@]*?)?@|)",
+                    r"(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?",
                     # netloc, the hostname/domain part of the URL plus the optional port
                     r"(?:",
                     "|".join(hostname_variants),

tests/test_validate.py

@@ -29,6 +29,9 @@
         "http://www.example.com:8000/foo",
         "http://[email protected]",
         "http://user:[email protected]",
+        "http://:[email protected]",
+        "http://@example.com",
+        "http://AZaz09-._~%2A!$&'()*+,;=:@example.com",
     ],
 )
 def test_url_absolute_valid(valid_url):
@@ -58,6 +61,12 @@ def test_url_absolute_valid(valid_url):
         " ",
         "",
         None,
+        "http://user@[email protected]",
+        "http://@[email protected]",
+        "http://@@example.com",
+        "http://^@example.com",
+        "http://%[email protected]",
+        "http://%@example.com",
     ],
 )
 def test_url_absolute_invalid(invalid_url):