#36886: URLField max_length cannot take advantage of
supports_unlimited_charfield
in DB backend
-------------------------------------+-------------------------------------
Reporter: Joel D Sleppy | Owner: Joel D
| Sleppy
Type: New feature | Status: closed
Component: Database layer | Version: 6.0
(models, ORM) |
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
* resolution: => wontfix
* status: assigned => closed
* type: Uncategorized => New feature
Comment:
Hello Joel! Thank you for your ticket. I think I understand where you are
coming from, but Django provides general purpose, conservative primitives.
`URLField` is not just a thin alias for `CharField`; it is a higher level
abstraction with semantic expectations, including validation and
reasonable defaults. Requiring an explicit `max_length` is part of that
contract.
While URL length limits are not formally standardized, URLs do need
practical bounds. Allowing unbounded URL storage meaningfully increases
risk surface. Extremely long URLs are a known vector for denial of service
and resource exhaustion issues across layers (application, logging,
middleware, and more), and multiple historical CVEs across frameworks and
servers have been rooted in unbounded or insufficiently constrained string
inputs.
The existence of `supports_unlimited_charfield` at the database backend
level does not imply that all higher level field types should opt into
unbounded storage. `CharField` is intentionally low level. `URLField`
intentionally is not. From an API design perspective, allowing
`max_length=None` for `URLField` would blur the distinction between
`CharField` and `URLField`, weaken Django's defensive defaults, and
introduce subtle backwards compatibility and security review concerns for
limited practical gain. Developers who genuinely need unbounded URL-like
strings can already model that explicitly using `CharField` with specific
validators.
Given these considerations, the requirement for an explicit maximum length
on URLField is intentional and appropriate, even on backends that support
unlimited character fields.
--
Ticket URL: <https://code.djangoproject.com/ticket/36886#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019bfbe59ff7-28f723c8-cc98-4e15-a536-7d833bf148a5-000000%40eu-central-1.amazonses.com.
