[Django] #35845: DomainNameValidator accepts any string if it contains a valid domain
15 views
Skip to first unread message
Django
Oct 16, 2024, 2:46:10 AM10/16/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
----------------------------+-----------------------------------------
Reporter: kazet | Type: Uncategorized
Status: new | Component: Uncategorized
Version: 5.1 | Severity: Normal
Keywords: validators | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
----------------------------+-----------------------------------------
Minimal example to reproduce:
{{{
kazet@b:~$ docker run -it python:latest bash
proot@80443b364903:/# pip install django
Collecting django
Downloading Django-5.1.2-py3-none-any.whl.metadata (4.2 kB)
Collecting asgiref<4,>=3.8.1 (from django)
Downloading asgiref-3.8.1-py3-none-any.whl.metadata (9.3 kB)
Collecting sqlparse>=0.3.1 (from django)
Downloading sqlparse-0.5.1-py3-none-any.whl.metadata (3.9 kB)
Downloading Django-5.1.2-py3-none-any.whl (8.3 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.3/8.3 MB 17.9 MB/s eta
0:00:00
Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Downloading sqlparse-0.5.1-py3-none-any.whl (44 kB)
Installing collected packages: sqlparse, asgiref, django
Successfully installed asgiref-3.8.1 django-5.1.2 sqlparse-0.5.1
WARNING: Running pip as the 'root' user can result in broken permissions
and conflicting behaviour with the system package manager, possibly
rendering your system unusable.It is recommended to use a virtual
environment instead: https://pip.pypa.io/warnings/venv. Use the --root-
user-action option if you know what you are doing and want to suppress
this warning.
root@80443b364903:/# python3
Python 3.13.0 (main, Oct 8 2024, 00:06:32) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from django.core.validators import DomainNameValidator
>>> DomainNameValidator()("invalid domain") # that works correctly
Traceback (most recent call last):
File "<python-input-1>", line 1, in <module>
DomainNameValidator()("invalid domain") # that works correctly
~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-
packages/django/core/validators.py", line 120, in __call__
super().__call__(value)
~~~~~~~~~~~~~~~~^^^^^^^
File "/usr/local/lib/python3.13/site-
packages/django/core/validators.py", line 55, in __call__
raise ValidationError(self.message, code=self.code, params={"value":
value})
django.core.exceptions.ValidationError: <exception str() failed>
>>> DomainNameValidator()("invalid domain @#$#$^%#@@ but we appended a
correct domain at the end: example.com") # that doesn't
>>>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35845>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
----------------------------+-----------------------------------------
Reporter: kazet | Type: Uncategorized
Status: new | Component: Uncategorized
Version: 5.1 | Severity: Normal
Keywords: validators | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
----------------------------+-----------------------------------------
Minimal example to reproduce:
{{{
kazet@b:~$ docker run -it python:latest bash
proot@80443b364903:/# pip install django
Collecting django
Downloading Django-5.1.2-py3-none-any.whl.metadata (4.2 kB)
Collecting asgiref<4,>=3.8.1 (from django)
Downloading asgiref-3.8.1-py3-none-any.whl.metadata (9.3 kB)
Collecting sqlparse>=0.3.1 (from django)
Downloading sqlparse-0.5.1-py3-none-any.whl.metadata (3.9 kB)
Downloading Django-5.1.2-py3-none-any.whl (8.3 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.3/8.3 MB 17.9 MB/s eta
0:00:00
Downloading asgiref-3.8.1-py3-none-any.whl (23 kB)
Downloading sqlparse-0.5.1-py3-none-any.whl (44 kB)
Installing collected packages: sqlparse, asgiref, django
Successfully installed asgiref-3.8.1 django-5.1.2 sqlparse-0.5.1
WARNING: Running pip as the 'root' user can result in broken permissions
and conflicting behaviour with the system package manager, possibly
rendering your system unusable.It is recommended to use a virtual
environment instead: https://pip.pypa.io/warnings/venv. Use the --root-
user-action option if you know what you are doing and want to suppress
this warning.
root@80443b364903:/# python3
Python 3.13.0 (main, Oct 8 2024, 00:06:32) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from django.core.validators import DomainNameValidator
>>> DomainNameValidator()("invalid domain") # that works correctly
Traceback (most recent call last):
File "<python-input-1>", line 1, in <module>
DomainNameValidator()("invalid domain") # that works correctly
~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-
packages/django/core/validators.py", line 120, in __call__
super().__call__(value)
~~~~~~~~~~~~~~~~^^^^^^^
File "/usr/local/lib/python3.13/site-
packages/django/core/validators.py", line 55, in __call__
raise ValidationError(self.message, code=self.code, params={"value":
value})
django.core.exceptions.ValidationError: <exception str() failed>
>>> DomainNameValidator()("invalid domain @#$#$^%#@@ but we appended a
correct domain at the end: example.com") # that doesn't
>>>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35845>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Oct 16, 2024, 3:11:59 AM10/16/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
---------------------------------+------------------------------------
Reporter: kazet | Owner: (none)
Type: Bug | Status: new
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: validators | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
---------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Claude Paroz):
* component: Uncategorized => Core (Other)
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
* type: Uncategorized => Bug
--
Ticket URL: <https://code.djangoproject.com/ticket/35845#comment:1>
Django
Oct 16, 2024, 7:42:31 AM10/16/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: assigned
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: validators | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Release blocker | Resolution:
Keywords: validators | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Justin Thurman):
* owner: (none) => Justin Thurman
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/35845#comment:2>
Django
Oct 16, 2024, 9:53:38 AM10/16/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: assigned
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: validators | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: assigned
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: validators | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Justin Thurman):
* has_patch: 0 => 1
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Justin Thurman):
--
Ticket URL: <https://code.djangoproject.com/ticket/35845#comment:3>
Django
Oct 17, 2024, 4:00:41 AM10/17/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: assigned
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution:
Keywords: validators | Triage Stage: Ready for
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: assigned
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/35845#comment:4>
Django
Oct 17, 2024, 10:45:52 AM10/17/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: closed
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: validators | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce <42296566+sarahboyce@…>):
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"99dcc59237f384d7ade98acfd1cae8d90e6d60ab" 99dcc592]:
{{{#!CommitTicketReference repository=""
revision="99dcc59237f384d7ade98acfd1cae8d90e6d60ab"
Fixed #35845 -- Updated DomainNameValidator to require entire string to be
a valid domain name.
Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457.
Thank you to kazet for the report and Claude Paroz for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35845#comment:5>
Django
Oct 17, 2024, 11:01:37 AM10/17/24
to django-...@googlegroups.com
#35845: DomainNameValidator accepts any string if it contains a valid domain
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: validators | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Sarah Boyce <42296566+sarahboyce@…>):
-------------------------------------+-------------------------------------
Reporter: kazet | Owner: Justin
| Thurman
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.1
Severity: Release blocker | Resolution: fixed
Keywords: validators | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"3ba8b0dae8cfa8609a525a100ccc7d88859c5c81" 3ba8b0d]:
{{{#!CommitTicketReference repository=""
revision="3ba8b0dae8cfa8609a525a100ccc7d88859c5c81"
[5.1.x] Fixed #35845 -- Updated DomainNameValidator to require entire
string to be a valid domain name.
Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457.
Thank you to kazet for the report and Claude Paroz for the review.
Backport of 99dcc59237f384d7ade98acfd1cae8d90e6d60ab from main.
Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457.
Thank you to kazet for the report and Claude Paroz for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35845#comment:6>
Reply all
Reply to author
Forward
0 new messages