Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#19070 closed Bug (fixed)

urlize template filter raises exception in some cases

Reported by: rivolaks@… Owned by: Erik Romijn
Component: Template system Version: master
Severity: Normal Keywords: dceu13
Cc: eromijn@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In some cases, urlize template filter fails because it's trying to parse ipv6 url and exception is raised:

>>> from django.utils.html import urlize
>>> urlize('www.ee]')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "django/utils/functional.py", line 193, in wrapper
    return func(*args, **kwargs)
  File "django/utils/html.py", line 213, in urlize
    url = smart_urlquote('http://%s' % middle)
  File "django/utils/html.py", line 152, in smart_urlquote
    scheme, netloc, path, query, fragment = urlsplit(url)
  File "/usr/lib/python2.7/urlparse.py", line 183, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

'www.google.com]' also breaks, but 'google.com]' doesn't.

IMHO urlize filter should never raise exceptions. In my case it is used on plaintext user input which we have no control over, and I'm assuming that errors in Django's template rendering are always handled internally and silently. In this case I'd expect urlize() to catch the ValueError from urlsplit and handle it somehow, e.g. by skipping the url.

Happens in both 1.4 as well as master, 1.3 is not affected.

Attachments (3)

19070-1.diff (1.6 KB) - added by Claude Paroz 4 years ago.
Fixing the square bracket issue
19070-2.diff (1.9 KB) - added by tom@… 4 years ago.
test_urlize.diff (805 bytes) - added by andrea_crotti 4 years ago.
This adds a test that shows that the behaviour of urlize described here does not fail on 1.6.0

Download all attachments as: .zip

Change History (16)

Changed 4 years ago by Claude Paroz

Attachment: 19070-1.diff added

Fixing the square bracket issue

comment:1 Changed 4 years ago by Claude Paroz

Component: UncategorizedTemplate system
Has patch: set
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Attached a patch which fixes the specific square bracket issue (note that the issue is only accurate from Python 2.7).

The question remains whether we should swallow exceptions around smart_urlquote. Aymeric?

comment:2 Changed 4 years ago by Jan Bednařík

Triage Stage: AcceptedReady for checkin

Patch reviewed and it's RFC.

Perhaps the question about swallowing exceptions shoud be discussed in django-developers or in separate ticket.

comment:3 Changed 4 years ago by Andrew Godwin

I'm going to commit the patch since it's the precise fix for this bug and we're getting affected by this - if we want to discuss the general exceptions issue let's do it elsewhere.

comment:4 Changed 4 years ago by Andrew Godwin <andrew@…>

Resolution: fixed
Status: newclosed

In 7f75460fd6befbef805fee3c91608efb0e9f444d:

Fixed #19070 -- urlize filter no longer raises exceptions on 2.7

Thanks to claudep for the patch.

comment:5 Changed 4 years ago by tom@…

Resolution: fixed
Status: closedreopened

With the above patch applied / git HEAD:

>>> from django.utils.html import urlize
>>> urlize('www.ee]')
u'<a href="http://www.ee">www.ee</a>]'
>>> urlize('www[foo.com')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/Users/tomi/Projects/feedify/venv/lib/python2.7/site-packages/django/utils/functional.py", line 176, in wrapper
    return func(*args, **kwargs)
  File "/Users/tomi/Projects/feedify/venv/lib/python2.7/site-packages/django/utils/html.py", line 168, in urlize
    url = smart_urlquote('http://%s' % middle)
  File "/Users/tomi/Projects/feedify/venv/lib/python2.7/site-packages/django/utils/html.py", line 107, in smart_urlquote
    scheme, netloc, path, query, fragment = urlparse.urlsplit(url)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 182, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL
>>> 

pull request at https://github.com/django/django/pull/573 / patch attached.

Changed 4 years ago by tom@…

Attachment: 19070-2.diff added

comment:6 Changed 4 years ago by Andrew Godwin <andrew@…>

Resolution: fixed
Status: reopenedclosed

In 501c7a221cfd022b6d0021fd9a54005c5ffc7a23:

Merge pull request #573 from tominsam/master

Fixed #19070: urlize template filter raises exception in some cases

comment:7 Changed 4 years ago by EmilStenstrom

Resolution: fixed
Status: closednew

It still seems possible to break urlize in Django 1.5.1:

Testcase:

>>> import django
>>> django.VERSION
(1, 5, 1, 'final', 0)
>>> from django.template.defaultfilters import urlize
>>> urlize('[http://168.192.0.1](http://168.192.0.1)')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/template/defaultfilters.py", line 45, in _dec
    return func(*args, **kwargs)
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/template/defaultfilters.py", line 336, in urlize
    return mark_safe(urlize_impl(value, nofollow=True, autoescape=autoescape))
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/utils/functional.py", line 194, in wrapper
    return func(*args, **kwargs)
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/utils/html.py", line 212, in urlize
    url = smart_urlquote(middle)
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/utils/html.py", line 153, in smart_urlquote
    scheme, netloc, path, query, fragment = urlsplit(url)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 182, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

comment:8 Changed 4 years ago by Tim Graham

Has patch: unset
Triage Stage: Ready for checkinUnreviewed
Version: 1.41.5

@EmilStenstrom, I think opening a new ticket would have been the best course of action here since the commits for this ticket were already released, but moving this back to "Unreviewed" for the new issue.

comment:9 Changed 4 years ago by andrea_crotti

On django (1, 6, 0, 'alpha', 0)
I get a different output
u'[<a href="http://168.192.0.1](http://168.192.0.1)" rel="nofollow">http://168.192.0.1](http://168.192.0.1)</a>'

Version 0, edited 4 years ago by andrea_crotti (next)

Changed 4 years ago by andrea_crotti

Attachment: test_urlize.diff added

This adds a test that shows that the behaviour of urlize described here does not fail on 1.6.0

comment:10 Changed 4 years ago by Erik Romijn

Has patch: set
Keywords: dceu13 added
Owner: changed from nobody to Erik Romijn
Patch needs improvement: set
Status: newassigned
Version: 1.5master

As this problem was reported, I think it would be good to add the test to the testsuite. It's a realistic use, and means we can be sure this does not break at any time. I'll clean the patch a little bit and make a PR.

comment:11 Changed 4 years ago by Erik Romijn

Cc: eromijn@… added
Patch needs improvement: unset
Last edited 4 years ago by Erik Romijn (previous) (diff)

comment:12 Changed 4 years ago by Erik Romijn <eromijn@…>

Resolution: fixed
Status: assignedclosed

In 1927bf7c91761040a7e46197fc2d19b66f2ae332:

Fix #19070 -- Additional test for urlize and brackets

comment:13 Changed 4 years ago by Aymeric Augustin <aymeric.augustin@…>

In d34b1c29e294b19e51a47918125314a1540c01d4:

Merge pull request #1161 from erikr/urlize-additional-test

Fixed #19070 -- Additional test for urlize and brackets

Note: See TracTickets for help on using tickets.
Back to Top