Opened 17 years ago

Closed 17 years ago

Last modified 17 years ago

#7433 closed (invalid)

Url not recognize as valid in URLField

Reported by: badbuay@… Owned by: nobody
Component: Forms Version: dev
Severity: Keywords: URLField
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Change History (5)

comment:1 by edgarsj, 17 years ago

Resolution: invalid
Status: newclosed

I don't think this URL is valid.

From http://www.ietf.org/rfc/rfc1738.txt
...
3.3. HTTP
...
An HTTP URL takes the form:

http://<host>:<port>/<path>?<searchpart>

...
Within the <path> and <searchpart> components, "/", ";", "?" are

reserved. The "/" character may be used within HTTP to designate a
hierarchical structure.

comment:2 by badbuay@…, 17 years ago

Resolution: invalid
Status: closedreopened

The URL is valid and works it's passing parameters to a script to redirect to other web

comment:3 by edgarsj, 17 years ago

Resolution: invalid
Status: reopenedclosed

Clearly by the RFC I linked it is not valid as it contains forbidden characters '/' and '?' in the searchpart. How do you define valid?

Do you suggest that Django should ignore standards?

If you want to reopen this ticket again please state by which standards the url is valid.

If you want to ignore ietf standards then you can easily implement your own URLField which would work according to your own standards.

comment:4 by Jeff Anderson, 17 years ago

I believe that the correct way is to escape the characters that aren't permitted in the search part.

Instead of http://example.com/q?next=http://example.com/2?q=blah
It would be: http://example.com/q?next=http&#58;&#47;&#47;example.com&#47;&#63;q=blah

I could be wrong, but it would be interesting to see if the current URL field validates an html-escaped URL. ::shrug::

in reply to:  description comment:5 by Marc Fargas, 17 years ago

Replying to badbuay@gmail.com:

Hi.
This valid URL: http://clk.tradedoubler.com/click?p=1111&a=1111111&g=111111&url=http://adfarm.mediaplex.com/ad/ck/2404-54910-11728-1?!mpro=http://lt.dell.com/lt/lt.aspx?CID=5212&LID=122756&DGC=AF&DGSegHS&ACD=^^&AID=¤¤&DURL=http%253A//www1.euro.dell.com/content/products/category.aspx/notebooks%253Fc%253Des%2526cs%253Desdhs1%2526l%253Des%2526s%253Ddhs

Had been rejected by URLField as No Valid.

Sure it's invalid. The reserved caracters pointed by edgarsj must be scaped, like:

http:// == http%3A

and so on, you can play with urllib.quote() to see this.

The fact that you can type this url in a browser and see it working doesn't mean it's valid:

  • The browser maybe encoding the URL on it's own, i.e. if you place spaces in a URL in Firefox it will change them for %20.
  • The server may be accepting such urls, althought invalid they can be parsed, but shouldn't.

Also note that for a lazy programer it's easy to simply read the "url" parameter from GET than decoding it.

Note: See TracTickets for help on using tickets.
Back to Top