Opened 3 years ago
Closed 3 years ago
#32874 closed New feature (wontfix)
Allow URLValidator to accept schema relative URLs
Reported by: | Maciej Strömich | Owned by: | Zoltán Szatmáry |
---|---|---|---|
Component: | Core (Other) | Version: | 3.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Based on rfc1808#section-2.4.3 a valid schema relative URL is the one starting with //
URLValidator is not validating such urls.
>>> from django.core.validators import URLValidator >>> value = '//example.com' >>> URLValidator().__call__(value) Traceback (most recent call last): File "<console>", line 1, in <module> File "/opt/venv/lib/python3.8/site-packages/django/core/validators.py", line 110, in __call__ raise ValidationError(self.message, code=self.code, params={'value': value}) django.core.exceptions.ValidationError: ['Enter a valid URL.']
Change History (7)
comment:1 by , 3 years ago
Description: | modified (diff) |
---|
comment:2 by , 3 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:3 by , 3 years ago
Component: | Uncategorized → Core (Other) |
---|---|
Summary: | URLValidator is not validating schema relative URLs → Allow URLValidator to accept schema relative URLs |
Type: | Bug → New feature |
The default list of accepted schemes is ['http', 'https', 'ftp', 'ftps']
, so I wouldn't call this a bug. I guess the question is whether or not there should be a way to allow schema relative URLs (assuming adding //
to schemes don't already work, I haven't tried it).
comment:4 by , 3 years ago
Triage Stage: | Unreviewed → Accepted |
---|
Yes, I guess it's worth looking into whether we can add support for reasonable complexity. Thanks.
comment:5 by , 3 years ago
The issue with scheme relative urls lies in this code block https://github.com/django/django/blob/stable/3.2.x/django/core/validators.py#L108-L110 in which scheme is split from url based on ://
which in the absolute url makes total sense.
The default list of accepted schemes is ['http', 'https', 'ftp', 'ftps'], so I wouldn't call this a bug. I guess the question is whether or not there should be a way to allow schema relative URLs (assuming adding to schemes don't already work, I haven't tried it).
We were supporting schema relative urls with update to mentioned list in a way like this ["", "http", "https"]
and it works in Django 2.2 well if you're allowing to define the url in your forms like ://example.com
instead of //example.com
.
Between Django2.2 and Django 3.2 https://github.com/django/django/commit/b41d38ae26b1da9519a6cd765bc2f2ce7d355007 was introduced which changed the behaviour of urlsplit()
call.
When upgrading to Django 3.2 URLValidator started to throw TypeError exceptions because the default return value of urlsplit('://example.com).hostname
is None
and it wasn't even getting to the ValidationError
line below.
In Django 2.2 the code was checking for netloc
instead of hostname
which even if the netloc is not correctly found would return an empty string ''
and the len(urlsplit(..
code would pass because ''
is less than 253 characters.
comment:6 by , 3 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
I've just made a PR for that. https://code.djangoproject.com/ticket/32874
comment:7 by , 3 years ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
After review by the Django Security Team, we're going to close this as wontfix.
Protocol relative URLs are something of a legacy from times before HTTPS was the norm, and their use now is generally discouraged. (e.g. modern linters will flag them.)
What's more URLs are used in many non-web contexts, where the lack of a scheme is not valid.
As such it's not something we want to add to URLValidator.
As with other similar cases, if users want to accept such URLs in their application, a custom validator is the way forward.
formatting