On Sat, Oct 10, 2009 at 9:35 PM, James Bennett <ubernost...@gmail.com> wrote: > > In light of yesterday's security issue, I'd like to propose that we > significantly dumb down the regex Django uses to validate email > addresses. > > Currently, the regex we use covers many common cases, but comes > nowhere near covering the entire spectrum of addresses allowed by the > RFC; several tickets are open regarding this. Trying to cover more of > the RFC is possible, although supporting all valid email addresses is > not (various regexes claim to do this, but full coverage is impossible > -- the RFC is flexible enough WRT things like nested comments that I'm > fairly certain no single regex can handle them all), and -- as we've > seen -- attempts to cover a broader chunk of the RFC can introduce > issues with performance. > > So what I'd like to propose is that EmailField essentially check that > the value contains an '@', and a '.' somewhere after it. This will > cover most addresses that are likely to be in actual use, and various > confirmation processes can be used to rule out any invalid addresses > which happen to slip through that. Meanwhile, people who want to > support comments inside a bang path or other such exotic beasts can > simply write their own regex for it and tell a form to use that > instead.
+1, with two additions: 1) If we encourage people to write their own regex if they want tighter email validation, we run the risk that users will inadvertently introduce the same bug that we have just fixed. We should probably beef up the documentation of RegexField to highlight the potential problem, give a few examples of how it can be triggered, and give some links to useful resources. 2) I think we should we relax the analogous regex check on URLField. This one is slightly self-serving - one of the customers has an internal network in which machines are named mymachine.foowhiz - which, is a violation of the RFC because of the 7 character TLD, but that doesn't change the fact that it works fine on their internal network. A quick survey of tickets affected by this: #9764 - Validation on internationalized domain names #9202 - URLField validation #7334 - non-ASCII domains (possible dupe of #9764) #6092 - Allow custom validator for URL and Email fields Russ %-) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
