Starlette: request.url hostname spoofing via malformed path

The HTTP request path is not validated before being used to reconstruct request.url, allowing an attacker to control request.url.hostname and request.url.netloc by supplying a path that does not begin with '/' (e.g., @google.com).

Applications using Starlette that rely on request.url, request.url.netloc, or request.url.hostname for security-sensitive decisions (host-based authorization, redirect/callback base, SSRF target, cache key, audit log) and are not behind a fronting proxy or load balancer that rejects malformed request-targets.

Upgrade to a patched version of Starlette that prevents the request path from crossing into the URL authority.