Potential fix for https://github.com/gh-codespace-create/packaging.python.org/security/code-scanning/10

In general, instead of checking whether an allowed hostname appears as a substring of a URL string, you should parse the URL and compare its hostname (and optionally scheme) against the expected value(s). This ensures that embedded occurrences of the hostname (in the path, query, or as part of a longer domain) do not cause false positives.

For this specific case, RTD_CANONICAL_BUILD should be True only when we are on a ReadTheDocs build that is not a PR build and whose canonical URL’s host is exactly packaging.python.org (or, if you want to be more flexible, a clearly defined set of allowed hosts). We can achieve this by:

1. Parsing RTD_URL using urllib.parse.urlparse.
2. Extracting hostname from the parsed result.
3. Comparing that hostname to "packaging.python.org" instead of using "... in RTD_URL".

Concretely, in source/conf.py:

• Add an import from urllib.parse import urlparse alongside the existing imports.
• Replace the RTD_CANONICAL_BUILD expression with logic that:
  • Safely handles RTD_URL being None or empty.
  • Parses RTD_URL and checks that parsed.hostname == "packaging.python.org".

This will preserve the intended meaning (“canonical build when the canonical URL is packaging.python.org, not a PR build, and on RTD”) while avoiding the incomplete substring sanitization.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.