Opened 17 years ago

Closed 17 years ago

#3421 closed (fixed)

URLField does not validate IP addresses, or localhost

Reported by: mirrorballu2@… Owned by: nobody
Component: Forms Version: dev
Severity: Keywords: URLField
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This URL http://127.0.0.1:8000/ doesn't validate. I think it should, because that's where Django's own server runs. Also sites can be run without a domain, only using the IP. This doesn't validate either: http://201.27.42.72/

Attachments (2)

url_re.patch (552 bytes ) - added by madssj@… 17 years ago.
url_re patch
url_re.2.patch (1.1 KB ) - added by Chris Beaven 17 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 by Simon G. <dev@…>, 17 years ago

Component: Validatorsdjango.newforms
Summary: URLField: 127.0.0.1 URLs are invalidURLField does not validate IP addresses, or localhost
Triage Stage: UnreviewedDesign decision needed

I've moved this onto newforms, as this is still an issue there - e.g.:

In [47]: f.clean('http://localhost')
...
ValidationError: [u'Enter a valid URL.']

In [48]: f.clean('http://127.0.0.1')
...
ValidationError: [u'Enter a valid URL.']

In [49]: f.clean('http://208.113.142.170')
...
ValidationError: [u'Enter a valid URL.']

Looking at the regex though, it may be more trouble than it's worth to fix this.

comment:2 by madssj@…, 17 years ago

Has patch: set

Attached patch the allows ip's in the url.

by madssj@…, 17 years ago

Attachment: url_re.patch added

url_re patch

by Chris Beaven, 17 years ago

Attachment: url_re.2.patch added

comment:3 by Chris Beaven, 17 years ago

Triage Stage: Design decision neededReady for checkin

(added tests in the last patch)

I don't really see a design decision required. Promoting to checkin.

comment:4 by anonymous, 17 years ago

Any chance this could be broken into separate options for the field before getting checked in? From a security standpoint I think it's safer to make programmers dictate they want to accept IPs and non-standard port numbers (IPs and non port 80/443 sites are very commonly used by malware/phishing sites and comment form spammers).

comment:5 by Russell Keith-Magee, 17 years ago

Resolution: fixed
Status: newclosed

(In [6152]) Fixed #3421 -- Added IP and localhost validation to newforms URLField. Thanks, SmileyChris.

Note: See TracTickets for help on using tickets.
Back to Top