Opened 12 months ago

Closed 10 months ago

Last modified 5 weeks ago

#34380 closed Cleanup/optimization (fixed)

Make URLField assume "https".

Reported by: Coen van der Kamp Owned by: Coen van der Kamp
Component: Forms Version: 4.1
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In django.forms.fields.URLField.to_python the assumption is made that the http (no S) is a good default scheme for URLs that do not specify a scheme when submitted.

Entering example.com in a URLField will give http://example.com as cleaned data.

Ref: https://github.com/django/django/blame/main/django/forms/fields.py#L772-L774

I think URLField should assume the safe option https.

I've notified the security team, and they didn't see this as a security issue.

Change History (12)

comment:1 by Coen van der Kamp, 12 months ago

I've opened a pull request. And am happy to adjust if needed.
https://github.com/django/django/pull/16614

comment:2 by Coen van der Kamp, 12 months ago

Has patch: set

comment:3 by Mariusz Felisiak, 12 months ago

Needs documentation: set
Owner: changed from nobody to Coen van der Kamp
Patch needs improvement: set
Status: newassigned
Summary: URLField assumes httpMake URLField assume "https".
Triage Stage: UnreviewedAccepted

Thanks for this report. As far as I'm aware, we should switch the default to "https" via the deprecation process (see #32375 for a similar change).

comment:4 by Coen van der Kamp, 12 months ago

I've updated the PR (improved the patch). https://github.com/django/django/pull/16614/files
Not sure if I need to update something on this ticket.

comment:5 by Mariusz Felisiak, 10 months ago

Needs documentation: unset
Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 10 months ago

Resolution: fixed
Status: assignedclosed

In 7bbbadc6:

Fixed #34380 -- Allowed specifying a default URL scheme in forms.URLField.

This also deprecates "http" as the default scheme.

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 3 months ago

In 0203771:

Refs #34380 -- Improved docs for forms.URLField.assume_scheme.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 3 months ago

In 4c74dff:

[5.0.x] Refs #34380 -- Improved docs for forms.URLField.assume_scheme.

Backport of 0203771b626c27c1af24cdeb0e425ccca3d19ad5 from main

comment:9 by GitHub <noreply@…>, 3 months ago

In a4931cd7:

Refs #34380 -- Added FORMS_URLFIELD_ASSUME_HTTPS transitional setting.

This allows early adoption of the new default "https".

comment:10 by Mariusz Felisiak <felisiak.mariusz@…>, 3 months ago

In 92af3d4d:

[5.0.x] Refs #34380 -- Added FORMS_URLFIELD_ASSUME_HTTPS transitional setting.

This allows early adoption of the new default "https".

Backport of a4931cd75a1780923b02e43475ba5447df3adb31 from main.

comment:11 by Daniel Hahler, 5 weeks ago

There is no (easy) way to pass/use assume_scheme via django.db.models.fields.URLField (directly), avoiding the deprecation messages (since using the transitional setting FORMS_URLFIELD_ASSUME_HTTPS also triggers a deprecation message already).

Should django.db.models.fields.URLField accept/handle assume_scheme?

Or is the way to go to use FORMS_URLFIELD_ASSUME_HTTPS for now, ignoring its DeprecationMessage, and to remove the setting with Django 6.0 again?

Might be nice to document this then in the release notes / documentation.

in reply to:  11 comment:12 by Mariusz Felisiak, 5 weeks ago

Or is the way to go to use FORMS_URLFIELD_ASSUME_HTTPS for now, ignoring its DeprecationMessage, and to remove the setting with Django 6.0 again?

That was our idea (check out the entire discussion). If you agree for an early adoption of the new (Django 6.0+) default, set FORMS_URLFIELD_ASSUME_HTTPS = True and ignore it's deprecation warning during Django 5.X release cycle with e.g. warnings.filterwarnings("ignore", "FORMS_URLFIELD_ASSUME_HTTPS", category=RemovedInDjango60Warning). In Django 6.0 you will be able to remove both the FORMS_URLFIELD_ASSUME_HTTPS setting and a warnings filter.

Note: See TracTickets for help on using tickets.
Back to Top