Context Navigation

← Previous Ticket
Next Ticket →

#25637 closed Cleanup/optimization (fixed)

Add label and hostname length validation in URLValidator

Reported by:	Dheerendra Rathor	Owned by:	Raphael Michel
Component:	Core (Other)	Version:	dev
Severity:	Normal	Keywords:
Cc:	zborboa@…	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Length of labels in hostname (FQDN) should be <= 63 and total length of hostname should be <= 253.

Change History (9)

comment:1 by Tim Graham, 10 years ago

Triage Stage:	Unreviewed → Accepted
Type:	Uncategorized → Cleanup/optimization

comment:2 by Tim Graham, 10 years ago

Summary:	label and hostname length validation in URLValidator → Add label and hostname length validation in URLValidator

comment:3 by Zach Borboa, 10 years ago

Cc:	zborboa@… added

comment:4 by Raphael Merx, 10 years ago

The label limit of 64 characters can be done like so:

django/core/validators.py

diff --git a/django/core/validators.py b/django/core/validators.py
index 15b16bc..26ec822 100644

                class URLValidator(RegexValidator):
     ipv6_re = r'\[[0-9a-f:\.]+\]'  # (simple regex, validated later)
     # Host patterns
     hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'
+    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]{0,61}[a-z' + ul + r'0-9])?'
     domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]+(?<!-))*'
     tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'
     host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'

tests/validators/tests.py

diff --git a/tests/validators/tests.py b/tests/validators/tests.py
index ad82eb6..52002fe 100644

                TEST_DATA = [
     # Trailing junk does not take forever to reject
     (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),
     (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),
+    # hostname label with length >= 64
+    (URLValidator(), 'http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a.com', ValidationError),
     (BaseValidator(True), True, None),
     (BaseValidator(True), False, ValidationError),

The total length limit seems harder to implement.

comment:5 by Dheerendra Rathor, 10 years ago

63 character limit should be applicable for domain name and TLD regex as well. Total length limit can be implemented by checking the length of host_re group. Also you should your test in invalid_urls.txt.

comment:6 by Raphael Michel, 10 years ago

Owner:	changed from nobody to Raphael Michel
Status:	new → assigned

comment:7 by Raphael Michel, 10 years ago

Has patch:	set

Pull request: https://github.com/django/django/pull/5566

comment:8 by Raphael Michel, 10 years ago

apollo13 asked on IRC whether the same length limits apply for IDN domain names and yes, they do: https://tools.ietf.org/html/rfc5890#section-2.3.2.1

comment:9 by Tim Graham <timograham@…>, 10 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 82976e5c:

Fixed #25637 -- Added URLValidator hostname length validation.

URLValidator now validates the maximum length of a hostname and the
maximum length of all labels inside the hostname.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues