Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#19070 closed Bug (fixed)

urlize template filter raises exception in some cases

Reported by: rivolaks@… Owned by: Sasha Romijn
Component: Template system Version: dev
Severity: Normal Keywords: dceu13
Cc: eromijn@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In some cases, urlize template filter fails because it's trying to parse ipv6 url and exception is raised:

>>> from django.utils.html import urlize
>>> urlize('www.ee]')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "django/utils/functional.py", line 193, in wrapper
    return func(*args, **kwargs)
  File "django/utils/html.py", line 213, in urlize
    url = smart_urlquote('http://%s' % middle)
  File "django/utils/html.py", line 152, in smart_urlquote
    scheme, netloc, path, query, fragment = urlsplit(url)
  File "/usr/lib/python2.7/urlparse.py", line 183, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

'www.google.com]' also breaks, but 'google.com]' doesn't.

IMHO urlize filter should never raise exceptions. In my case it is used on plaintext user input which we have no control over, and I'm assuming that errors in Django's template rendering are always handled internally and silently. In this case I'd expect urlize() to catch the ValueError from urlsplit and handle it somehow, e.g. by skipping the url.

Happens in both 1.4 as well as master, 1.3 is not affected.

Attachments (3)

19070-1.diff (1.6 KB ) - added by Claude Paroz 11 years ago.
Fixing the square bracket issue
19070-2.diff (1.9 KB ) - added by tom@… 11 years ago.
test_urlize.diff (805 bytes ) - added by andrea_crotti 11 years ago.
This adds a test that shows that the behaviour of urlize described here does not fail on 1.6.0

Download all attachments as: .zip

Change History (16)

by Claude Paroz, 11 years ago

Attachment: 19070-1.diff added

Fixing the square bracket issue

comment:1 by Claude Paroz, 11 years ago

Component: UncategorizedTemplate system
Has patch: set
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

Attached a patch which fixes the specific square bracket issue (note that the issue is only accurate from Python 2.7).

The question remains whether we should swallow exceptions around smart_urlquote. Aymeric?

comment:2 by Jan Bednařík, 11 years ago

Triage Stage: AcceptedReady for checkin

Patch reviewed and it's RFC.

Perhaps the question about swallowing exceptions shoud be discussed in django-developers or in separate ticket.

comment:3 by Andrew Godwin, 11 years ago

I'm going to commit the patch since it's the precise fix for this bug and we're getting affected by this - if we want to discuss the general exceptions issue let's do it elsewhere.

comment:4 by Andrew Godwin <andrew@…>, 11 years ago

Resolution: fixed
Status: newclosed

In 7f75460fd6befbef805fee3c91608efb0e9f444d:

Fixed #19070 -- urlize filter no longer raises exceptions on 2.7

Thanks to claudep for the patch.

comment:5 by tom@…, 11 years ago

Resolution: fixed
Status: closedreopened

With the above patch applied / git HEAD:

>>> from django.utils.html import urlize
>>> urlize('www.ee]')
u'<a href="http://www.ee">www.ee</a>]'
>>> urlize('www[foo.com')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/Users/tomi/Projects/feedify/venv/lib/python2.7/site-packages/django/utils/functional.py", line 176, in wrapper
    return func(*args, **kwargs)
  File "/Users/tomi/Projects/feedify/venv/lib/python2.7/site-packages/django/utils/html.py", line 168, in urlize
    url = smart_urlquote('http://%s' % middle)
  File "/Users/tomi/Projects/feedify/venv/lib/python2.7/site-packages/django/utils/html.py", line 107, in smart_urlquote
    scheme, netloc, path, query, fragment = urlparse.urlsplit(url)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 182, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL
>>> 

pull request at https://github.com/django/django/pull/573 / patch attached.

by tom@…, 11 years ago

Attachment: 19070-2.diff added

comment:6 by Andrew Godwin <andrew@…>, 11 years ago

Resolution: fixed
Status: reopenedclosed

In 501c7a221cfd022b6d0021fd9a54005c5ffc7a23:

Merge pull request #573 from tominsam/master

Fixed #19070: urlize template filter raises exception in some cases

comment:7 by EmilStenstrom, 11 years ago

Resolution: fixed
Status: closednew

It still seems possible to break urlize in Django 1.5.1:

Testcase:

>>> import django
>>> django.VERSION
(1, 5, 1, 'final', 0)
>>> from django.template.defaultfilters import urlize
>>> urlize('[http://168.192.0.1](http://168.192.0.1)')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/template/defaultfilters.py", line 45, in _dec
    return func(*args, **kwargs)
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/template/defaultfilters.py", line 336, in urlize
    return mark_safe(urlize_impl(value, nofollow=True, autoescape=autoescape))
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/utils/functional.py", line 194, in wrapper
    return func(*args, **kwargs)
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/utils/html.py", line 212, in urlize
    url = smart_urlquote(middle)
  File "/Users/EmilStenstrom/Envs/kundo/lib/python2.7/site-packages/django/utils/html.py", line 153, in smart_urlquote
    scheme, netloc, path, query, fragment = urlsplit(url)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urlparse.py", line 182, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

comment:8 by Tim Graham, 11 years ago

Has patch: unset
Triage Stage: Ready for checkinUnreviewed
Version: 1.41.5

@EmilStenstrom, I think opening a new ticket would have been the best course of action here since the commits for this ticket were already released, but moving this back to "Unreviewed" for the new issue.

comment:9 by andrea_crotti, 11 years ago

On django (1, 6, 0, 'alpha', 0)
I get a different output
u'[<a href="http://168.192.0.1](http://168.192.0.1)" rel="nofollow">http://168.192.0.1](http://168.192.0.1)</a>'
I'm not entirely sure that this result is correct either though..

Last edited 11 years ago by andrea_crotti (previous) (diff)

by andrea_crotti, 11 years ago

Attachment: test_urlize.diff added

This adds a test that shows that the behaviour of urlize described here does not fail on 1.6.0

comment:10 by Sasha Romijn, 11 years ago

Has patch: set
Keywords: dceu13 added
Owner: changed from nobody to Sasha Romijn
Patch needs improvement: set
Status: newassigned
Version: 1.5master

As this problem was reported, I think it would be good to add the test to the testsuite. It's a realistic use, and means we can be sure this does not break at any time. I'll clean the patch a little bit and make a PR.

comment:11 by Sasha Romijn, 11 years ago

Cc: eromijn@… added
Patch needs improvement: unset
Last edited 11 years ago by Sasha Romijn (previous) (diff)

comment:12 by Erik Romijn <eromijn@…>, 11 years ago

Resolution: fixed
Status: assignedclosed

In 1927bf7c91761040a7e46197fc2d19b66f2ae332:

Fix #19070 -- Additional test for urlize and brackets

comment:13 by Aymeric Augustin <aymeric.augustin@…>, 11 years ago

In d34b1c29e294b19e51a47918125314a1540c01d4:

Merge pull request #1161 from erikr/urlize-additional-test

Fixed #19070 -- Additional test for urlize and brackets

Note: See TracTickets for help on using tickets.
Back to Top