#34380 closed Cleanup/optimization (fixed)
Make URLField assume "https".
Reported by: | Coen van der Kamp | Owned by: | Coen van der Kamp |
---|---|---|---|
Component: | Forms | Version: | 4.1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In django.forms.fields.URLField.to_python
the assumption is made that the http
(no S) is a good default scheme for URLs that do not specify a scheme when submitted.
Entering example.com
in a URLField will give http://example.com
as cleaned data.
Ref: https://github.com/django/django/blame/main/django/forms/fields.py#L772-L774
I think URLField should assume the safe option https
.
I've notified the security team, and they didn't see this as a security issue.
Change History (12)
comment:1 by , 20 months ago
comment:2 by , 20 months ago
Has patch: | set |
---|
comment:3 by , 20 months ago
Needs documentation: | set |
---|---|
Owner: | changed from | to
Patch needs improvement: | set |
Status: | new → assigned |
Summary: | URLField assumes http → Make URLField assume "https". |
Triage Stage: | Unreviewed → Accepted |
Thanks for this report. As far as I'm aware, we should switch the default to "https" via the deprecation process (see #32375 for a similar change).
comment:4 by , 20 months ago
I've updated the PR (improved the patch). https://github.com/django/django/pull/16614/files
Not sure if I need to update something on this ticket.
comment:5 by , 19 months ago
Needs documentation: | unset |
---|---|
Patch needs improvement: | unset |
Triage Stage: | Accepted → Ready for checkin |
follow-up: 12 comment:11 by , 10 months ago
There is no (easy) way to pass/use assume_scheme
via django.db.models.fields.URLField
(directly), avoiding the deprecation messages (since using the transitional setting FORMS_URLFIELD_ASSUME_HTTPS
also triggers a deprecation message already).
Should django.db.models.fields.URLField
accept/handle assume_scheme
?
Or is the way to go to use FORMS_URLFIELD_ASSUME_HTTPS
for now, ignoring its DeprecationMessage
, and to remove the setting with Django 6.0 again?
Might be nice to document this then in the release notes / documentation.
comment:12 by , 10 months ago
Or is the way to go to use
FORMS_URLFIELD_ASSUME_HTTPS
for now, ignoring itsDeprecationMessage
, and to remove the setting with Django 6.0 again?
That was our idea (check out the entire discussion). If you agree for an early adoption of the new (Django 6.0+) default, set FORMS_URLFIELD_ASSUME_HTTPS = True
and ignore it's deprecation warning during Django 5.X release cycle with e.g. warnings.filterwarnings("ignore", "FORMS_URLFIELD_ASSUME_HTTPS", category=RemovedInDjango60Warning)
. In Django 6.0 you will be able to remove both the FORMS_URLFIELD_ASSUME_HTTPS
setting and a warnings
filter.
I've opened a pull request. And am happy to adjust if needed.
https://github.com/django/django/pull/16614