Support CIDR no_proxy entries

HeroCC · HeroCC · commit a6e2fa687ede · 2026-05-12T16:19:00.000-04:00
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
@@ -360,8 +360,9 @@ The following classes are provided:
 
    The :envvar:`no_proxy` environment variable can be used to specify hosts
    which shouldn't be reached via proxy; if set, it should be a comma-separated
-   list of hostname suffixes, optionally with ``:port`` appended, for example
-   ``cern.ch,ncsa.uiuc.edu,some.host:8080``.
+   list of hostname suffixes, optionally with ``:port`` appended, and IP
+   address CIDR ranges, for example
+   ``cern.ch,ncsa.uiuc.edu,some.host:8080,192.168.0.0/16``.
 
    .. note::
 
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
@@ -245,6 +245,28 @@ def test_proxy_bypass_environment_host_match(self):
         self.assertFalse(bypass('newdomain.com'))            # no port
         self.assertFalse(bypass('newdomain.com:1235'))       # wrong port
 
+    def test_proxy_bypass_environment_cidr_match(self):
+        bypass = urllib.request.proxy_bypass_environment
+        self.env.set('NO_PROXY',
+                     '192.168.0.0/16, 2001:db8::/32, 172.16.1.1/24')
+        self.assertTrue(bypass('192.168.1.1'))
+        self.assertTrue(bypass('192.168.1.1:1234'))
+        self.assertTrue(bypass('2001:db8::1'))
+        self.assertTrue(bypass('[2001:db8::1]:1234'))
+        self.assertTrue(bypass('172.16.1.255'))
+        self.assertFalse(bypass('192.169.1.1'))
+        self.assertFalse(bypass('2001:db9::1'))
+        self.assertFalse(bypass('172.16.2.1'))
+        self.assertFalse(bypass('python.org'))
+
+    def test_proxy_bypass_environment_invalid_cidr(self):
+        bypass = urllib.request.proxy_bypass_environment
+        self.env.set('NO_PROXY',
+                     '192.168.0.0/33, 2001:db8::/129, anotherdomain.com')
+        self.assertFalse(bypass('192.168.1.1'))
+        self.assertFalse(bypass('2001:db8::1'))
+        self.assertTrue(bypass('anotherdomain.com'))
+
     def test_proxy_bypass_environment_always_match(self):
         bypass = urllib.request.proxy_bypass_environment
         self.env.set('NO_PROXY', '*')
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
@@ -1912,7 +1912,8 @@ def proxy_bypass_environment(host, proxies=None):
     """Test if proxies should not be used for a particular host.
 
     Checks the proxy dict for the value of no_proxy, which should
-    be a list of comma separated DNS suffixes, or '*' for all hosts.
+    be a list of comma separated DNS suffixes, IP address CIDR ranges,
+    or '*' for all hosts.
 
     """
     if proxies is None:
@@ -1928,14 +1929,40 @@ def proxy_bypass_environment(host, proxies=None):
     host = host.lower()
     # strip port off host
     hostonly, port = _splitport(host)
-    # check if the host ends with any of the DNS suffixes
+    host_ip = None
+    checked_host_ip = False
+    # for every entry in no_proxy...
     for name in no_proxy.split(','):
         name = name.strip()
         if name:
             name = name.lstrip('.')  # ignore leading dots
             name = name.lower()
+
+            # check for exact match
             if hostonly == name or host == name:
                 return True
+
+            # check if the IP is within CIDR range
+            if '/' in name:
+                if not checked_host_ip:
+                    from ipaddress import ip_address
+                    for candidate in (hostonly, host):
+                        candidate = candidate.strip('[]')
+                        try:
+                            host_ip = ip_address(candidate)
+                            break
+                        except ValueError:
+                            pass
+                    checked_host_ip = True
+                if host_ip is not None:
+                    from ipaddress import ip_network
+                    try:
+                        if host_ip in ip_network(name, strict=False):
+                            return True
+                    except ValueError:
+                        pass
+
+            # check if the host ends with any of the DNS suffixes
             name = '.' + name
             if hostonly.endswith(name) or host.endswith(name):
                 return True
