Opened 19 years ago
Closed 18 years ago
#3421 closed (fixed)
URLField does not validate IP addresses, or localhost
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Forms | Version: | dev |
| Severity: | Keywords: | URLField | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This URL http://127.0.0.1:8000/ doesn't validate. I think it should, because that's where Django's own server runs. Also sites can be run without a domain, only using the IP. This doesn't validate either: http://201.27.42.72/
Attachments (2)
Change History (7)
comment:1 by , 19 years ago
| Component: | Validators → django.newforms |
|---|---|
| Summary: | URLField: 127.0.0.1 URLs are invalid → URLField does not validate IP addresses, or localhost |
| Triage Stage: | Unreviewed → Design decision needed |
by , 18 years ago
| Attachment: | url_re.2.patch added |
|---|
comment:3 by , 18 years ago
| Triage Stage: | Design decision needed → Ready for checkin |
|---|
(added tests in the last patch)
I don't really see a design decision required. Promoting to checkin.
comment:4 by , 18 years ago
Any chance this could be broken into separate options for the field before getting checked in? From a security standpoint I think it's safer to make programmers dictate they want to accept IPs and non-standard port numbers (IPs and non port 80/443 sites are very commonly used by malware/phishing sites and comment form spammers).
comment:5 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
I've moved this onto newforms, as this is still an issue there - e.g.:
In [47]: f.clean('http://localhost') ... ValidationError: [u'Enter a valid URL.'] In [48]: f.clean('http://127.0.0.1') ... ValidationError: [u'Enter a valid URL.'] In [49]: f.clean('http://208.113.142.170') ... ValidationError: [u'Enter a valid URL.']Looking at the regex though, it may be more trouble than it's worth to fix this.