Fixed #25637 -- Added URLValidator hostname length validation.

URLValidator now validates the maximum length of a hostname and the maximum length of all labels inside the hostname.
2015-11-07 11:08:16 +01:00 · 2015-11-07 11:08:16 +01:00 · 82976e5c3f
parent d7a58f285b
commit 82976e5c3f
4 changed files with 22 additions and 4 deletions
--- a/django/core/validators.py
+++ b/django/core/validators.py
@ -83,9 +83,10 @@ class URLValidator(RegexValidator):
    ipv6_re = r'\[[0-9a-f:\.]+\]'  # (simple regex, validated later)
    # Host patterns
-    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'
+    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]{0,61}[a-z' + ul + r'0-9])?'
-    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]+(?<!-))*'
+    # Max length for domain name labels is 63 characters per RFC 1034 sec. 3.1
-    tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'
+    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]{1,63}(?<!-))*'
    tld_re = r'\.(?:[a-z' + ul + r']{2,63}|xn--[a-z0-9]{1,59})\.?'
    host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'
    regex = _lazy_re_compile(
@ -136,6 +137,13 @@ class URLValidator(RegexValidator):
                    raise ValidationError(self.message, code=self.code)
            url = value
        # The maximum length of a full host name is 253 characters per RFC 1034
        # section 3.1. It's defined to be 255 bytes or less, but this includes
        # one byte for the length of the name and one byte for the trailing dot
        # that's used to indicate absolute names in DNS.
        if len(urlsplit(value).netloc) > 253:
            raise ValidationError(self.message, code=self.code)
 integer_validator = RegexValidator(
    _lazy_re_compile('^-?\d+\Z'),
    message=_('Enter a valid integer.'),
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@ -258,7 +258,9 @@ URLs
 Validators
 ^^^^^^^^^^
-* ...
+* :class:`~django.core.validators.URLValidator` now limits the length of
  domain name labels to 63 characters and the total length of domain
  names to 253 characters per :rfc:`1034`.
 Backwards incompatible changes in 1.10
 ======================================
--- a/tests/validators/invalid_urls.txt
+++ b/tests/validators/invalid_urls.txt
@ -50,3 +50,7 @@ http://[::1:2::3]:8080/
 http://[]
 http://[]:8080
 http://example..com/
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa
--- a/tests/validators/valid_urls.txt
+++ b/tests/validators/valid_urls.txt
@ -63,3 +63,7 @@ http://0.0.0.0/
 http://255.255.255.255
 http://224.0.0.0
 http://224.1.1.1
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa