id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28142	is_safe_url() raises ValueError for invalid IPv6 URLs	Michal Čihař	Uman Shahzad	"The is_safe_url function can raise ValueError from _urlsplit. IMHO it should catch the error from parsing and return False in this case.

This can happen for example with `next=http://168.192.0.1]`

Traceback from 1.10, but it happens on 1.11 as well (and actually raises the ValueError even on the login page as it is now doing the validation).

{{{
File ""/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py"" in inner
  47.         return func(*args, **kwargs)

File ""/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py"" in sensitive_post_parameters_wrapper
  76.             return view(request, *args, **kwargs)

File ""/usr/lib/python2.7/dist-packages/django/utils/decorators.py"" in _wrapped_view
  149.                     response = view_func(request, *args, **kwargs)

File ""/usr/lib/python2.7/dist-packages/django/views/decorators/cache.py"" in _wrapped_view_func
  57.         response = view_func(request, *args, **kwargs)

File ""/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py"" in login
  83.             return HttpResponseRedirect(_get_login_redirect_url(request, redirect_to))

File ""/usr/lib/python2.7/dist-packages/django/contrib/auth/views.py"" in _get_login_redirect_url
  53.     if not is_safe_url(url=redirect_to, host=request.get_host()):

File ""/usr/lib/python2.7/dist-packages/django/utils/http.py"" in is_safe_url
  309.     return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)

File ""/usr/lib/python2.7/dist-packages/django/utils/http.py"" in _is_safe_url
  369.     url_info = _urlparse(url)

File ""/usr/lib/python2.7/dist-packages/django/utils/http.py"" in _urlparse
  321.     splitresult = _urlsplit(url, scheme, allow_fragments)

File ""/usr/lib/python2.7/dist-packages/django/utils/http.py"" in _urlsplit
  355.             raise ValueError(""Invalid IPv6 URL"")

Exception Type: ValueError at /accounts/login/
Exception Value: Invalid IPv6 URL
}}}
"	Bug	closed	Utilities	1.11	Normal	fixed		emidanrko564@…	Accepted	1	0	0	0	1	0