Skip to content

fix: encode credentials in MultiHostUrl builder #1829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 11, 2025
Merged

fix: encode credentials in MultiHostUrl builder #1829

merged 3 commits into from
Oct 11, 2025
+49 −8

Conversation

@willswire
Copy link
Contributor

@willswire willswire commented Oct 8, 2025
edited by pydantic-hooky bot
Loading

Change Summary

  • Percent-encode usernames and passwords when formatting MultiHostUrl host segments so DSNs remain valid
    even with reserved characters.
  • Add a lightweight percent-encoding dependency and helper to centralize the userinfo encoding logic.
  • Extend URL validator tests to cover credential encoding for both single-host and multi-host builders.

Related issue number

Checklist

  • Unit tests for the changes exist
  • Documentation reflects the changes where applicable
  • Pydantic tests pass with this pydantic-core (except for expected changes)
  • My PR is ready to review, please add a comment including the phrase "please review" to assign
    reviewers

Selected Reviewer: @Viicos

@codecov
Copy link

codecov bot commented Oct 8, 2025

Codecov Report

❌ Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/url.rs 0.00% 14 Missing ⚠️

📢 Thoughts on this report? Let us know!

@codspeed-hq
Copy link

codspeed-hq bot commented Oct 8, 2025
edited
Loading

CodSpeed Performance Report

Merging #1829 will not alter performance

Comparing willswire:main (0e120ce) with main (3043aba)

Summary

✅ 163 untouched

@willswire
Copy link
Contributor Author

please review

davidhewitt
davidhewitt reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

@davidhewitt davidhewitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the approach seems good to me, with a suggestion on efficiency.

@willswire @davidhewitt
Update src/url.rs
1e61d74 
Co-authored-by: David Hewitt <[email protected]>
willswire
willswire commented Oct 10, 2025
View reviewed changes
@willswire
Copy link
Contributor Author

Thanks, the approach seems good to me, with a suggestion on efficiency.

Reverted the suggestion due to failing tests

@Viicos
Copy link
Member

Viicos commented Oct 11, 2025

Thanks for the contribution @willswire. @davidhewitt if there's no risk of regressions with this one, we can ship it as a 2.12 backport as well.

@davidhewitt davidhewitt merged commit 1e1c962 into pydantic:main Oct 11, 2025
32 checks passed
@davidhewitt davidhewitt mentioned this pull request Oct 11, 2025
Open
4 tasks
frankie567 added a commit to polarsource/polar that referenced this pull request Oct 20, 2025
@frankie567
server/alembic: avoid Alembic to treat percent-encoded characters in …
32a4554 
…SQLAlchemy URL as interpolation markers.

Appeared becaused Pydantic started to percent-encode user credentials in MultiHostUrl: pydantic/pydantic-core#1829
frankie567 added a commit to polarsource/polar that referenced this pull request Oct 20, 2025
@frankie567
server/alembic: avoid Alembic to treat percent-encoded characters in …
aa8532b 
…SQLAlchemy URL as interpolation markers.

Appeared becaused Pydantic started to percent-encode user credentials in MultiHostUrl: pydantic/pydantic-core#1829
frankie567 added a commit to polarsource/polar that referenced this pull request Oct 20, 2025
@frankie567
server/alembic: avoid Alembic to treat percent-encoded characters in …
d64173a 
…SQLAlchemy URL as interpolation markers.

Appeared becaused Pydantic started to percent-encode user credentials in MultiHostUrl: pydantic/pydantic-core#1829
@grelinfo
Copy link

grelinfo commented Oct 20, 2025
edited
Loading

Is it normal that underscores are as well encoded?

davidhewitt pushed a commit to pydantic/pydantic that referenced this pull request Oct 20, 2025
@willswire
fix: encode credentials in MultiHostUrl builder (pydantic/pydantic-co…
d31cea7 
…re#1829)

Co-authored-by: David Hewitt <[email protected]>

Original-commit-hash: 1e1c962
@vasudev-gm vasudev-gm mentioned this pull request Oct 20, 2025
Closed
davidhewitt pushed a commit to pydantic/pydantic that referenced this pull request Oct 22, 2025
@willswire
fix: encode credentials in MultiHostUrl builder (pydantic/pydantic-co…
70bfe4f 
…re#1829)

Co-authored-by: David Hewitt <[email protected]>

Original-commit-link: pydantic/pydantic-core@1e1c962
@davidhewitt
Copy link
Contributor

Possibly needs tuning back a bit, see https://docs.rs/percent-encoding/latest/percent_encoding/constant.NON_ALPHANUMERIC.html - says it probably encodes too much.

@davidhewitt davidhewitt mentioned this pull request Oct 23, 2025
Merged
4 tasks
@PokkaKiyo
Copy link

Should a change like this be mentioned in release notes of Pydantic?
The context of this is that when upgrading Pydantic the url builder broke, because previously we were encoding the special characters before calling build(), and this encodes those already encoded characters again.
Just my 2 cents, it was pretty confusing as we couldn't find any references in Pydantic.

Also, this closes #1467 too.

@Viicos
Copy link
Member

Viicos commented Oct 31, 2025

Should a change like this be mentioned in release notes of Pydantic?

It is mentioned in https://github.com/pydantic/pydantic/releases/tag/v2.12.1.

The context of this is that when upgrading Pydantic the url builder broke, because previously we were encoding the special characters before calling build()

Thinking about it, this is indeed inconvenient for users already URL-encoding the components. @davidhewitt thoughts? Should we actually revert the change altogether and reconsider for v3?

@PokkaKiyo
Copy link

It is mentioned in https://github.com/pydantic/pydantic/releases/tag/v2.12.1.

Ah I see, didn't put 2 and 2 together, was looking for a subclass😅

@davidhewitt
Copy link
Contributor

Thinking about it, this is indeed inconvenient for users already URL-encoding the components. @davidhewitt thoughts? Should we actually revert the change altogether and reconsider for v3?

I think it's correct to see that this should have been a feature rather than a bugfix. This was a mistake on us in assessing the original report, I think.

I do not think we need to revert fully, instead an encode_credentials optional keyword argument would allow us to keep the logic and allow users who want the encoding to benefit?

@Viicos
Copy link
Member

Viicos commented Nov 3, 2025
edited
Loading

I do not think we need to revert fully, instead an encode_credentials optional keyword argument would allow us to keep the logic and allow users who want the encoding to benefit?

Should we default to True or False? I think we can default to False until V3, and keep it after V3 even if the default would the be True, as some users may have already percent-encoded components.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidhewitt davidhewitt davidhewitt left review comments

Assignees

@Viicos Viicos

Labels

ready for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PostgresDsn fails to validate with misleading error when special characters present in password

5 participants

@willswire @Viicos @grelinfo @davidhewitt @PokkaKiyo