#23025 closed Uncategorized (wontfix)
URLValidator allows for invalid IPv4 addresses
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Uncategorized | Version: | 1.6 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The current URLValidator allows for invalid IPV4 addresses to pass
IPV4 addresses in dot-notation can have a max value of 255 in each of the octets. The validator only checks for the presence of 4 octets, so just typing in all 9s 999.999.999.999 tricks the test
tests/validators/tests.py should trigger a ValidationError on cases like this:
(URLValidator(), 'http://266.266.266.266', ValidationError),
(URLValidator(), 'http://999.999.999.999', ValidationError),
Note:
See TracTickets
for help on using tickets.
Same goes for IPv6 and domain names which are semantically valid but don't exist (eg http://www.bababababababababa.com/) -- the validator is ment to perform a quick and basic validation, nothing bulletproof (it's also the best we can do without writing an overly crazy regex). If you need it to be exact you should write your own validator which actually checks if the host is alive etc…