Commit 82976e5c authored by Raphael Michel's avatar Raphael Michel Committed by Tim Graham
Browse files

Fixed #25637 -- Added URLValidator hostname length validation. 

URLValidator now validates the maximum length of a hostname and the
maximum length of all labels inside the hostname.
parent d7a58f28

django/core/validators.py

+11 −3
Original line number Diff line number Diff line
@@ -83,9 +83,10 @@ class URLValidator(RegexValidator): 
    ipv6_re = r'\[[0-9a-f:\.]+\]'  # (simple regex, validated later)



    # Host patterns

    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'

    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]+(?<!-))*'

    tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'

    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]{0,61}[a-z' + ul + r'0-9])?'

    # Max length for domain name labels is 63 characters per RFC 1034 sec. 3.1

    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]{1,63}(?<!-))*'

    tld_re = r'\.(?:[a-z' + ul + r']{2,63}|xn--[a-z0-9]{1,59})\.?'

    host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'



    regex = _lazy_re_compile(
@@ -136,6 +137,13 @@ class URLValidator(RegexValidator): 
                    raise ValidationError(self.message, code=self.code)

            url = value



        # The maximum length of a full host name is 253 characters per RFC 1034

        # section 3.1. It's defined to be 255 bytes or less, but this includes

        # one byte for the length of the name and one byte for the trailing dot

        # that's used to indicate absolute names in DNS.

        if len(urlsplit(value).netloc) > 253:

            raise ValidationError(self.message, code=self.code)



integer_validator = RegexValidator(

    _lazy_re_compile('^-?\d+\Z'),

    message=_('Enter a valid integer.'),

docs/releases/1.10.txt

+3 −1
Original line number Diff line number Diff line
@@ -258,7 +258,9 @@ URLs 
Validators

^^^^^^^^^^



* ...

* :class:`~django.core.validators.URLValidator` now limits the length of

  domain name labels to 63 characters and the total length of domain

  names to 253 characters per :rfc:`1034`.



Backwards incompatible changes in 1.10

======================================

tests/validators/invalid_urls.txt

+4 −0
Original line number Diff line number Diff line
@@ -50,3 +50,7 @@ http://[::1:2::3]:8080/ 
http://[]

http://[]:8080

http://example..com/

http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com

http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com

http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa

tests/validators/valid_urls.txt

+4 −0
Original line number Diff line number Diff line
@@ -63,3 +63,7 @@ http://0.0.0.0/ 
http://255.255.255.255

http://224.0.0.0

http://224.1.1.1

http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com

http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com

http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa