[Django] #33968: Make EmailValidator and URLValidator IDNA 2008 compliant
Django
-------------------------------------+-------------------------------------
Reporter: j-bernard | Owner: nobody
Type: | Status: new
Uncategorized |
Component: Core | Version: 4.0
(Mail) | Keywords: IDNA EAI
Severity: Normal | EmailValidator UrlValidator RFC
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
This ticket is the second of a list of tickets aiming at bringing Email
Address Internationalization (EAI) compliance to Django by supporting
International Domain Name (IDN) with regards to the latest standard (IDNA
2008) and fixing some processing on internationalized domains or email
addresses.
Previous ticket: #33967
Domain validation is not fully compliant with IDNA 2008 (either in
EmailValidator or UrlValidator) as defined in
[https://datatracker.ietf.org/doc/html/rfc5891#section-4.2 RFC5891
section-4.2]
A domain name cannot be validated properly with a regex, therefore, an IDN
validation should be performed with an appropriate library.
The current validation ignores IDNA errors. Instead, IDNA should be used
for domain validation and the regex validation should be skipped for
domains as it may lack some specific rules and then end up with invalid
domains being accepted.
Moreover, the current validation is made by performing a conversion to
A-Label with the Python `encodings.idna` module which implements a
deprecated standard (IDNA 2003).
This conversion should be made IDNA 2008 compliant. The most used Python
IDNA 2008 package is [https://pypi.org/project/idna/ idna], which is among
the most downloaded Python packages according to PyPI (4th as for the
current month) and referred in the
[https://docs.python.org/3/library/codecs.html#module-encodings.idna
official Python documentation].
--
Ticket URL: <https://code.djangoproject.com/ticket/33968>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: j-bernard | Owner: nobody
Component: Core (Other) | Version: 4.0
Severity: Normal | Resolution: wontfix
Keywords: IDNA EAI | Triage Stage:
EmailValidator UrlValidator RFC | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Florian Apolloner (added)
* resolution: => wontfix
* status: new => closed
* component: Core (Mail) => Core (Other)
* type: Uncategorized => New feature
Comment:
Thanks for this ticket, however adding a new dependency is always
controversial and it isn't a light decision so a strong consensus on the
mailing list is required. Please first start a discussion on the
DevelopersMailingList, where you'll reach a wider audience and see what
other think, and
[https://docs.djangoproject.com/en/stable/internals/contributing/bugs-and-
features/#requesting-features follow the guidelines with regards to
requesting features].
Personally, I don't think it's worth complexity. My initial response would
be similar to the Python's, i.e. ''"If you need the IDNA 2008 standard
from RFC 5891 and RFC 5895, use a third-party validator"''.
--
Ticket URL: <https://code.djangoproject.com/ticket/33968#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: j-bernard | Owner: nobody
Type: New feature | Status: closed
Component: Core (Other) | Version: 4.0
Severity: Normal | Resolution: wontfix
Keywords: IDNA EAI | Triage Stage:
EmailValidator UrlValidator RFC | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by j-bernard):
Thanks, I started the discussion on the [https://groups.google.com/g
/django-developers/c/h80ELFgsess mailing list]
--
Ticket URL: <https://code.djangoproject.com/ticket/33968#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: j-bernard | Owner: nobody
Type: New feature | Status: closed
Component: Core (Other) | Version: 4.0
Severity: Normal | Resolution: wontfix
Keywords: IDNA EAI | Triage Stage:
EmailValidator UrlValidator RFC | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
If this gets reconsidered in the future, it will need to address potential
security issues in changing how django.core.mail encodes recipient
domains. As of July 2024, using IDNA 2003 for sending email (''not'' IDNA
2008) still seems to be the correct choice—or at least, matches what Gmail
and Microsoft's Outlook.com do. Details in
https://github.com/django/django/pull/16276#issuecomment-2227512278.
--
Ticket URL: <https://code.djangoproject.com/ticket/33968#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: j-bernard | Owner: nobody
Type: New feature | Status: closed
Component: Core (Other) | Version: 4.0
Severity: Normal | Resolution: wontfix
Keywords: IDNA EAI | Triage Stage:
EmailValidator UrlValidator RFC | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mike Edmunds):
The URLValidator part became moot in Django 1.8, and the (no longer
active) call to punycode() was removed in #36007.
--
Ticket URL: <https://code.djangoproject.com/ticket/33968#comment:4>