Wednesday, June 27, 2018

Re: Invalid URLs passing validation by URLValidator


Just picking up on a few points...

On Friday, 22 June 2018 21:51:01 UTC+10, Melvyn Sopacua wrote:

  

However, officially, HTTP urls do not allow for username and password as outlined in section 3.3:

 

An HTTP URL takes the form:


      http://<host>:<port>/<path>?<searchpart>

where <host> and <port> are as described in Section 3.1. If :<port>
is omitted, the port defaults to 80.  No user name or password is
allowed.

Except Django already decided they would accept them: https://code.djangoproject.com/ticket/20003

 

So then, the parsing becomes:

scheme = http

host = foo

path = /bar@example.com/


But "foo" is not a valid host, as it's not fully-qualified. (That's how the validator treats it, anyway.)

That said - Django still validates the ftp variant as being correct, so the bug is still there and nice catch!


I've filed a bug (and created a pull request): https://code.djangoproject.com/ticket/29528

Cheers,

Tim Bell

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ab468d8b-e389-42d6-a5fb-b72e6400c200%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment