Opened 5 weeks ago

Closed 5 weeks ago

Last modified 5 weeks ago

#35845 closed Bug (fixed)

DomainNameValidator accepts any string if it contains a valid domain

Reported by: kazet Owned by: Justin Thurman
Component: Core (Other) Version: 5.1
Severity: Release blocker Keywords: validators
Cc: kazet Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Minimal example to reproduce:

kazet@b:~$ docker run -it python:latest bash
proot@80443b364903:/# pip install django
Collecting django
  Downloading Django-5.1.2-py3-none-any.whl.metadata (4.2 kB)
Collecting asgiref<4,>=3.8.1 (from django)
  Downloading asgiref-3.8.1-py3-none-any.whl.metadata (9.3 kB)
Collecting sqlparse>=0.3.1 (from django)
  Downloading sqlparse-0.5.1-py3-none-any.whl.metadata (3.9 kB)
Downloading Django-5.1.2-py3-none-any.whl (8.3 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.3/8.3 MB 17.9 MB/s eta 0:00:00
Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Downloading sqlparse-0.5.1-py3-none-any.whl (44 kB)
Installing collected packages: sqlparse, asgiref, django
Successfully installed asgiref-3.8.1 django-5.1.2 sqlparse-0.5.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable.It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
root@80443b364903:/# python3
Python 3.13.0 (main, Oct  8 2024, 00:06:32) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from django.core.validators import DomainNameValidator
>>> DomainNameValidator()("invalid domain")  # that works correctly
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    DomainNameValidator()("invalid domain")  # that works correctly
    ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/django/core/validators.py", line 120, in __call__
    super().__call__(value)
    ~~~~~~~~~~~~~~~~^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/django/core/validators.py", line 55, in __call__
    raise ValidationError(self.message, code=self.code, params={"value": value})
django.core.exceptions.ValidationError: <exception str() failed>
>>> DomainNameValidator()("invalid domain @#$#$^%#@@ but we appended a correct domain at the end: example.com")  # that doesn't
>>> 

Change History (6)

comment:1 by Claude Paroz, 5 weeks ago

Component: UncategorizedCore (Other)
Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

comment:2 by Justin Thurman, 5 weeks ago

Owner: set to Justin Thurman
Status: newassigned

comment:3 by Justin Thurman, 5 weeks ago

Has patch: set

comment:4 by Sarah Boyce, 5 weeks ago

Triage Stage: AcceptedReady for checkin

comment:5 by Sarah Boyce <42296566+sarahboyce@…>, 5 weeks ago

Resolution: fixed
Status: assignedclosed

In 99dcc592:

Fixed #35845 -- Updated DomainNameValidator to require entire string to be a valid domain name.

Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457.

Thank you to kazet for the report and Claude Paroz for the review.

comment:6 by Sarah Boyce <42296566+sarahboyce@…>, 5 weeks ago

In 3ba8b0d:

[5.1.x] Fixed #35845 -- Updated DomainNameValidator to require entire string to be a valid domain name.

Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457.

Thank you to kazet for the report and Claude Paroz for the review.

Backport of 99dcc59237f384d7ade98acfd1cae8d90e6d60ab from main.

Note: See TracTickets for help on using tickets.
Back to Top