Enhance IPv6 zone ID detection logic in adapters.py

tboy1337 · tboy1337 · commit fb86a0e37ac9 · 2026-04-01T14:02:03.000+07:00
- Updated the `_has_ipv6_zone_id` function to more accurately distinguish between zone IDs and percent-encoded characters within brackets.
- Improved regex patterns to handle both literal '%' and '%25' cases, ensuring compliance with RFC 6874.
- Added additional test cases in `test_adapters.py` to cover false positives and edge cases for zone ID detection.
diff --git a/src/requests/adapters.py b/src/requests/adapters.py
@@ -90,11 +90,17 @@ def _has_ipv6_zone_id(url: str) -> bool:
     :return: True if URL contains IPv6 zone ID
     :rtype: bool
     """
-    # Look for pattern: [<text>%<text>] indicating IPv6 with zone ID
-    # The % can be URL-encoded as %25 or literal %
-    # Match brackets containing a % anywhere in the URL
-    # This handles both literal % and %25 encoding
-    return bool(re.search(r"\[[^\]]*%(?:25)?[^\]]*\]", url))
+    # Distinguish zone IDs from arbitrary percent-encoded characters inside brackets.
+    #
+    # A percent-encoded character is exactly %XX (two hex digits), e.g. %20 (space).
+    # A zone ID uses % as a delimiter followed by a network interface name, e.g. %eth0.
+    #
+    # Two forms are detected:
+    #   - Literal %: must be followed by a letter (interface names like eth0, wlan0, lo
+    #     always start with a letter on Linux/macOS), ruling out %20, %2F, etc.
+    #   - RFC 6874 encoded %25: followed by any valid interface-name chars (the %25
+    #     prefix unambiguously signals a zone-ID delimiter, not arbitrary encoding).
+    return bool(re.search(r"\[[^\]]*(?:%25[a-zA-Z0-9_.\-]+|%[a-zA-Z][a-zA-Z0-9_.\-]*)\]", url))
 
 
 def _urllib3_request_context(
diff --git a/tests/test_adapters.py b/tests/test_adapters.py
@@ -34,6 +34,13 @@ class TestIPv6ZoneIDDetection:
             ("http://localhost/", False),
             ("http://example.com/foo%20bar", False),  # % in path, not zone ID
             ("http://[::1]/path%20with%20percent", False),  # % in path, not in host
+            # False-positive guard: percent-encoded chars inside brackets are NOT zone IDs
+            ("http://[::1%20]/", False),  # %20 = space encoding, not a zone ID
+            ("http://[::1%2F]/", False),  # %2F = slash encoding, not a zone ID
+            ("http://[::1%2B]/", False),  # %2B = plus encoding, not a zone ID
+            ("http://[::1%41]/", False),  # %41 = 'A', two hex digits, not a zone ID
+            ("http://[fe80::1%20]:8080/", False),  # %20 in host with port
+            ("http://[::1%25]/", False),  # bare %25 with nothing after it is not a zone ID
             # Edge cases with multiple percent signs
             ("http://[fe80::1%eth0]/path%20test", True),  # Zone ID + path encoding
             ("http://[fe80::1%25eth0]/path%20test", True),  # %25 zone ID + path encoding
