#4833 closed Bug (fixed)
auth superuser setup rejects valid @localhost e-mail address
| Reported by: | Owned by: | ||
|---|---|---|---|
| Component: | Validators | Version: | dev |
| Severity: | Normal | Keywords: | auth email validator ip |
| Cc: | maix42@…, jay@…, Erin Kelly | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
You just installed Django's auth system, which means you don't have any superusers defined. Would you like to create one now? (yes/no): yes Username (Leave blank to use 'steveg'): E-mail address: steveg@localhost Error: That e-mail address is invalid.
Uh, no it's not. It's a perfectly sensible address for local singleuser development server.
Attachments (8)
Change History (37)
comment:1 by , 17 years ago
| Component: | Uncategorized → Validators |
|---|---|
| Owner: | changed from to |
| Summary: | auth superuser setup rejects valid e-mail address → auth superuser setup rejects valid @localhost e-mail address |
| Triage Stage: | Unreviewed → Design decision needed |
comment:2 by , 17 years ago
| Triage Stage: | Design decision needed → Accepted |
|---|
comment:3 by , 17 years ago
Don't think it is possible to do with re. Instead we should define a constant list.
allowed_domain = ['local', 'localhost', 'localhost.localdomain']
comment:4 by , 17 years ago
If we're going to fix this, we should do it properly. Single word domains are legal, not just restricted to localhost. So a list is not a good approach.
comment:5 by , 17 years ago
Django is using common validators, it'd be problematic for Django apps which are running online. Either we shouldnt fix it or we should allow ONLY some specific domains.
by , 17 years ago
comment:6 by , 17 years ago
| Has patch: | set |
|---|---|
| Keywords: | auth email validator added |
| Version: | 0.96 → SVN |
4833.diff solves the problem in a generic fashion and also accepts a superset of the currently accepted domains.
comment:8 by , 17 years ago
It also rejects IDNs (Internationalized Domain Name, domain with characters outside ascii) and umlauts in the first part of the email address (such as äöü (German, for example)). Maybe it should be chang to just test if there's an @ inside.
comment:9 by , 17 years ago
| Cc: | added |
|---|
by , 17 years ago
| Attachment: | localhost_email_validation_test_case.diff added |
|---|
I attached a simple test case for localhost email validation but the patch 4833.diff causes it to fail.
comment:10 by , 17 years ago
| Cc: | added |
|---|---|
| Needs tests: | unset |
| Owner: | changed from to |
| Patch needs improvement: | set |
comment:11 by , 17 years ago
| Cc: | added |
|---|---|
| Owner: | changed from to |
The test case uploaded by skabber isn't set up correctly as a doctest, so I'm not sure how it was expected to pass. 4833_test.diff adds a test for this in modeltests/validation, and it passes.
I don't know enough about IDNs to fix the problem pointed out by maix, although just checking for an @ seems wrong to me.
comment:12 by , 17 years ago
From my understanding of the RFC doc, as below, 'steve@localhost' is not spec. In addition, these changes would break the current validation system which should be created with the production environment in mind. These changes would allow both 'steve@…' and 'steve@domaincom' to be used as a valid email address. Note the missing period in the second email address.
Two ideas for reaching a middle ground:
- Check for usual localhost domains like ['local', 'localhost', 'localhost.localdomain']. This would allow for 'steve@localhost' while still invalidating 'steve@domaincom'.
- Allow the email address to be empty.
RFC 2821 (http://tools.ietf.org/html/rfc2821):
3.6 Domains
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
- The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.
- The reserved mailbox name "postmaster" may be used in a RCPT
command without domain qualification (see section 4.1.1.3) and
MUST be accepted if so used.
comment:13 by , 17 years ago
| Cc: | added; removed |
|---|
comment:14 by , 15 years ago
| Keywords: | ip added |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
What is more it rejects also e-mails with IPs after @. I totally do not understand why, as also in production environment, even if localhost is not threated as a valid value, there is no point to threat emails on servers woithout associated domain name as invalid.
comment:15 by , 15 years ago
| Triage Stage: | Accepted → Design decision needed |
|---|
comment:16 by , 15 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:17 by , 14 years ago
| Triage Stage: | Design decision needed → Accepted |
|---|
comment:18 by , 14 years ago
| Severity: | → Normal |
|---|---|
| Type: | → Bug |
comment:19 by , 13 years ago
| Easy pickings: | unset |
|---|---|
| Patch needs improvement: | unset |
| UI/UX: | unset |
The following patch takes a slightly different approach. I'm splitting email addresses at @ in all cases before validation, so we can give special treatment to domain (as it was already done for IDN validation).
It remains unclear for me if the fact of giving EmailValidator a tuple of regexes is breaking some backwards compatibility (didn't find EmailValidator in docs). Anyway, that's just my proposal and it may still need some work...
comment:20 by , 13 years ago
| Patch needs improvement: | set |
|---|
The most recent patch has 2 problems:
It is currently failing to apply to trunk - but updating that is pretty mild.
The bigger problem is that the replacement regex tuple causes a current test to fail, because the patch would consider the following email invalid:
local@…äöüßabc.part.com
which is a valid international address.
ERROR: test_emailfield_1 (regressiontests.forms.tests.fields.FieldsTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/preston/Projects/code/forks/django/tests/regressiontests/forms/tests/fields.py", line 509, in test_emailfield_1
self.assertEqual(u'local@domain.with.idn.xyz\xe4\xf6\xfc\xdfabc.part.com', f.clean('local@domain.with.idn.xyzäöüßabc.part.com'))
File "/Users/preston/Projects/code/forks/django/django/forms/fields.py", line 455, in clean
return super(EmailField, self).clean(value)
File "/Users/preston/Projects/code/forks/django/django/forms/fields.py", line 153, in clean
self.run_validators(value)
File "/Users/preston/Projects/code/forks/django/django/forms/fields.py", line 142, in run_validators
raise ValidationError(errors)
ValidationError: [u'Enter a valid e-mail address.']
comment:21 by , 13 years ago
| Patch needs improvement: | unset |
|---|
Thanks ptone for catching this. The regex was right, but there was a missing "return" in my code when the validation succeeded.
comment:22 by , 13 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
The current patch applies cleanly, passes tests, and addresses the specific problem of the ticket. There are potentially other valid needs for other whitelisted local domains, but in the specific case of this narrow scope for the super user - a simple, specific check for localhost seems valid.
Some minor concern remains about the general test coverage for email validation, and whether the new regex will hit trouble with edge cases not considered in the tests.
This patch does not seem to warrant any change in the documentation.
I'll let a core dev consider the weight of that concern and will mark this RFC.
comment:23 by , 13 years ago
Bumping this back to accepted, subclassing regexvalidator, but then making regex be a tuple rather than the usual format doesn't seem like good design. Either this shouldn't subclass regex validator, or it should communicate the second regex in a different way (not calling super __call__ at any point is another good indicator of that).
comment:24 by , 13 years ago
| Triage Stage: | Ready for checkin → Accepted |
|---|
by , 13 years ago
| Attachment: | 4833-4.diff added |
|---|
Refactored patch to not inherit from RegexValidator
comment:26 by , 13 years ago
| Patch needs improvement: | unset |
|---|
Alex's comment was accurate. Inheriting from RegexValidator didn't bring anything. Hopefully it is in better shape now.
by , 12 years ago
| Attachment: | 4833-6.diff added |
|---|
Updated patch to master. Tests pass on 2.7 and 3.2.
comment:27 by , 12 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:28 by , 12 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
To fix this, we'll need to modify the regex in isValidEmail in django/core/validators.py, but quite frankly, that regex scares me.