[Django] #34380: URLField assumes http

7 views
Skip to first unread message

Django

unread,
Mar 2, 2023, 5:43:05 PM3/2/23
to django-...@googlegroups.com
#34380: URLField assumes http
------------------------------------------------+------------------------
Reporter: Coen van der Kamp | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Forms | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
In `django.forms.fields.URLField.to_python` the assumption is made that
the `http` (no S) is a good default scheme for URLs that do not specify a
scheme when submitted.

Entering `example.com` in a URLField will give `http://example.com` as
cleaned data.

Ref:
https://github.com/django/django/blame/main/django/forms/fields.py#L772-L774

I think URLField should assume the safe option `https`.

I've notified the security team, and they didn't see this as a security
issue.

--
Ticket URL: <https://code.djangoproject.com/ticket/34380>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Mar 2, 2023, 5:48:47 PM3/2/23
to django-...@googlegroups.com
#34380: URLField assumes http
-------------------------------------+-------------------------------------

Reporter: Coen van der Kamp | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Forms | Version: 4.1
Severity: Normal | Resolution:

Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Coen van der Kamp):

I've opened a pull request. And am happy to adjust if needed.
https://github.com/django/django/pull/16614

--
Ticket URL: <https://code.djangoproject.com/ticket/34380#comment:1>

Django

unread,
Mar 2, 2023, 6:03:06 PM3/2/23
to django-...@googlegroups.com
#34380: URLField assumes http
-------------------------------------+-------------------------------------
Reporter: Coen van der Kamp | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Forms | Version: 4.1
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Coen van der Kamp):

* has_patch: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/34380#comment:2>

Reply all
Reply to author
Forward
0 new messages