URL User Info Validation (#2244)

* Restrict URL userinfo to NWG RFC 3986

* Update changelog

---------

Co-authored-by: Steven Loria <[email protected]>

CHANGELOG.rst

@@ -4,6 +4,12 @@ Changelog
 3.21.0 (unreleased)
 *******************
 
+Bug fixes:
+
+- Fix validation of ``URL`` fields to allow missing user field,
+  per NWG RFC 3986 (:issue:`2232`). Thanks :user:`ddennerline3` for reporting
+  and :user:`deckar01` for the PR.
+
 Other changes:
 
 - *Backwards-incompatible*: ``__version__``, ``__parsed_version__``, and ``__version_info__``

src/marshmallow/validate.py

@@ -131,9 +131,9 @@ def _regex_generator(
                     # this is validated separately against allowed schemes, so in the regex
                     # we simply want to capture its existence
                     r"(?:[a-z0-9\.\-\+]*)://",
-                    # basic_auth, for URLs encoding a username:password
+                    # userinfo, for URLs encoding authentication
                     # e.g. 'ftp://foo:[email protected]/'
-                    r"(?:[^:@]+?(:[^:@]*?)?@|)",
+                    r"(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?",
                     # netloc, the hostname/domain part of the URL plus the optional port
                     r"(?:",
                     "|".join(hostname_variants),

tests/test_validate.py

@@ -29,6 +29,9 @@
         "http://www.example.com:8000/foo",
         "http://[email protected]",
         "http://user:[email protected]",
+        "http://:[email protected]",
+        "http://@example.com",
+        "http://AZaz09-._~%2A!$&'()*+,;=:@example.com",
     ],
 )
 def test_url_absolute_valid(valid_url):
@@ -58,6 +61,12 @@ def test_url_absolute_valid(valid_url):
         " ",
         "",
         None,
+        "http://user@[email protected]",
+        "http://@[email protected]",
+        "http://@@example.com",
+        "http://^@example.com",
+        "http://%[email protected]",
+        "http://%@example.com",
     ],
 )
 def test_url_absolute_invalid(invalid_url):