Opened 8 years ago

Closed 8 years ago

#25637 closed Cleanup/optimization (fixed)

Add label and hostname length validation in URLValidator

Reported by: Dheerendra Rathor Owned by: Raphael Michel
Component: Core (Other) Version: dev
Severity: Normal Keywords:
Cc: zborboa@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Length of labels in hostname (FQDN) should be <= 63 and total length of hostname should be <= 253.

Change History (9)

comment:1 by Tim Graham, 8 years ago

Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

comment:2 by Tim Graham, 8 years ago

Summary: label and hostname length validation in URLValidatorAdd label and hostname length validation in URLValidator

comment:3 by Zach Borboa, 8 years ago

Cc: zborboa@… added

comment:4 by Raphael Merx, 8 years ago

The label limit of 64 characters can be done like so:

  • django/core/validators.py

    diff --git a/django/core/validators.py b/django/core/validators.py
    index 15b16bc..26ec822 100644
    a b class URLValidator(RegexValidator):  
    8383    ipv6_re = r'\[[0-9a-f:\.]+\]'  # (simple regex, validated later)
    8484
    8585    # Host patterns
    86     hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'
     86    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]{0,61}[a-z' + ul + r'0-9])?'
    8787    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]+(?<!-))*'
    8888    tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'
    8989    host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'
  • tests/validators/tests.py

    diff --git a/tests/validators/tests.py b/tests/validators/tests.py
    index ad82eb6..52002fe 100644
    a b TEST_DATA = [  
    214214    # Trailing junk does not take forever to reject
    215215    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),
    216216    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),
     217    # hostname label with length >= 64
     218    (URLValidator(), 'http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a.com', ValidationError),
    217219
    218220    (BaseValidator(True), True, None),
    219221    (BaseValidator(True), False, ValidationError),

The total length limit seems harder to implement.

comment:5 by Dheerendra Rathor, 8 years ago

63 character limit should be applicable for domain name and TLD regex as well. Total length limit can be implemented by checking the length of host_re group. Also you should your test in invalid_urls.txt.

comment:6 by Raphael Michel, 8 years ago

Owner: changed from nobody to Raphael Michel
Status: newassigned

comment:7 by Raphael Michel, 8 years ago

Has patch: set

comment:8 by Raphael Michel, 8 years ago

apollo13 asked on IRC whether the same length limits apply for IDN domain names and yes, they do: https://tools.ietf.org/html/rfc5890#section-2.3.2.1

comment:9 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 82976e5c:

Fixed #25637 -- Added URLValidator hostname length validation.

URLValidator now validates the maximum length of a hostname and the
maximum length of all labels inside the hostname.

Note: See TracTickets for help on using tickets.
Back to Top