Control: tags -1 + fixed-upstream patch Hi Maintainer
Please find attached, a patch that was applied in Ubuntu to address this issue. Regards Graham
Description: Fixed URLValidator crash in some edge cases Origin: upstream, https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c Bug: https://code.djangoproject.com/ticket/33367 Author: Pedro Schlickmann Mendes <[email protected]> Last-Update: 2021-12-15 --- a/django/core/validators.py +++ b/django/core/validators.py @@ -111,14 +111,15 @@ # Then check full URL try: + splitted_url = urlsplit(value) + except ValueError: + raise ValidationError(self.message, code=self.code, params={'value': value}) + try: super().__call__(value) except ValidationError as e: # Trivial case failed. Try for possible IDN domain if value: - try: - scheme, netloc, path, query, fragment = urlsplit(value) - except ValueError: # for example, "Invalid IPv6 URL" - raise ValidationError(self.message, code=self.code, params={'value': value}) + scheme, netloc, path, query, fragment = splitted_url try: netloc = punycode(netloc) # IDN -> ACE except UnicodeError: # invalid domain part @@ -129,7 +130,7 @@ raise else: # Now verify IPv6 in the netloc part - host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc) + host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc) if host_match: potential_ip = host_match[1] try: @@ -141,7 +142,7 @@ # section 3.1. It's defined to be 255 bytes or less, but this includes # one byte for the length of the name and one byte for the trailing dot # that's used to indicate absolute names in DNS. - if len(urlsplit(value).hostname) > 253: + if splitted_url.hostname is None or len(splitted_url.hostname) > 253: raise ValidationError(self.message, code=self.code, params={'value': value})
