Opened 8 years ago

Closed 8 years ago

#3421 closed (fixed)

URLField does not validate IP addresses, or localhost

Reported by: mirrorballu2@… Owned by: nobody
Component: Forms Version: master
Severity: Keywords: URLField
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

This URL http://127.0.0.1:8000/ doesn't validate. I think it should, because that's where Django's own server runs. Also sites can be run without a domain, only using the IP. This doesn't validate either: http://201.27.42.72/

Attachments (2)

url_re.patch (552 bytes) - added by madssj@… 8 years ago.
url_re patch
url_re.2.patch (1.1 KB) - added by SmileyChris 8 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 8 years ago by Simon G. <dev@…>

  • Component changed from Validators to django.newforms
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Summary changed from URLField: 127.0.0.1 URLs are invalid to URLField does not validate IP addresses, or localhost
  • Triage Stage changed from Unreviewed to Design decision needed

I've moved this onto newforms, as this is still an issue there - e.g.:

In [47]: f.clean('http://localhost')
...
ValidationError: [u'Enter a valid URL.']

In [48]: f.clean('http://127.0.0.1')
...
ValidationError: [u'Enter a valid URL.']

In [49]: f.clean('http://208.113.142.170')
...
ValidationError: [u'Enter a valid URL.']

Looking at the regex though, it may be more trouble than it's worth to fix this.

comment:2 Changed 8 years ago by madssj@…

  • Has patch set

Attached patch the allows ip's in the url.

Changed 8 years ago by madssj@…

url_re patch

Changed 8 years ago by SmileyChris

comment:3 Changed 8 years ago by SmileyChris

  • Triage Stage changed from Design decision needed to Ready for checkin

(added tests in the last patch)

I don't really see a design decision required. Promoting to checkin.

comment:4 Changed 8 years ago by anonymous

Any chance this could be broken into separate options for the field before getting checked in? From a security standpoint I think it's safer to make programmers dictate they want to accept IPs and non-standard port numbers (IPs and non port 80/443 sites are very commonly used by malware/phishing sites and comment form spammers).

comment:5 Changed 8 years ago by russellm

  • Resolution set to fixed
  • Status changed from new to closed

(In [6152]) Fixed #3421 -- Added IP and localhost validation to newforms URLField. Thanks, SmileyChris.

Note: See TracTickets for help on using tickets.
Back to Top