Opened 2 years ago

Closed 2 years ago

Last modified 7 days ago

#33968 closed New feature (wontfix)

Make EmailValidator and URLValidator IDNA 2008 compliant

Reported by: j-bernard Owned by: nobody
Component: Core (Other) Version: 4.0
Severity: Normal Keywords: IDNA EAI EmailValidator UrlValidator RFC
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This ticket is the second of a list of tickets aiming at bringing Email Address Internationalization (EAI) compliance to Django by supporting International Domain Name (IDN) with regards to the latest standard (IDNA 2008) and fixing some processing on internationalized domains or email addresses.
Previous ticket: #33967

Domain validation is not fully compliant with IDNA 2008 (either in EmailValidator or UrlValidator) as defined in RFC5891 section-4.2

A domain name cannot be validated properly with a regex, therefore, an IDN validation should be performed with an appropriate library.

The current validation ignores IDNA errors. Instead, IDNA should be used for domain validation and the regex validation should be skipped for domains as it may lack some specific rules and then end up with invalid domains being accepted.

Moreover, the current validation is made by performing a conversion to A-Label with the Python encodings.idna module which implements a deprecated standard (IDNA 2003).

This conversion should be made IDNA 2008 compliant. The most used Python IDNA 2008 package is idna, which is among the most downloaded Python packages according to PyPI (4th as for the current month) and referred in the official Python documentation.

Change History (4)

comment:1 by Mariusz Felisiak, 2 years ago

Cc: Florian Apolloner added
Component: Core (Mail)Core (Other)
Resolution: wontfix
Status: newclosed
Type: UncategorizedNew feature

Thanks for this ticket, however adding a new dependency is always controversial and it isn't a light decision so a strong consensus on the mailing list is required. Please first start a discussion on the DevelopersMailingList, where you'll reach a wider audience and see what other think, and follow the guidelines with regards to requesting features.

Personally, I don't think it's worth complexity. My initial response would be similar to the Python's, i.e. "If you need the IDNA 2008 standard from RFC 5891 and RFC 5895, use a third-party validator".

comment:2 by j-bernard, 2 years ago

Thanks, I started the discussion on the mailing list

comment:3 by Mike Edmunds, 5 months ago

If this gets reconsidered in the future, it will need to address potential security issues in changing how django.core.mail encodes recipient domains. As of July 2024, using IDNA 2003 for sending email (not IDNA 2008) still seems to be the correct choice—or at least, matches what Gmail and Microsoft's Outlook.com do. Details in https://github.com/django/django/pull/16276#issuecomment-2227512278.

Version 0, edited 5 months ago by Mike Edmunds (next)

comment:4 by Mike Edmunds, 7 days ago

I've reopened the EmailValidator part of this with more details as #36014. The URLValidator part became moot in Django 1.8, and the (no longer active) call to punycode() was removed in #36007.

Note: See TracTickets for help on using tickets.
Back to Top