#25593: Remove scheme validation from URLValidator or provide all IANA
acceptable
schemes as defaults
-------------------------------------+-------------------------------------
Reporter: marcinn | Owner: nobody
Type: Uncategorized | Status: new
Component: Database layer | Version: 1.8
(models, ORM) |
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by timgraham):
* needs_better_patch: => 0
* needs_tests: => 0
* needs_docs: => 0
Old description:
> == The problem ==
>
> There are defined only four schemes as default: http,https,ftp,ftps.
> But URL can have many many more valid schemes.
> HTTP and FTP as good defaults are invalid - they are too limited.
>
> There is no simple way to extend these schemes nor disable scheme
> validation.
> We must extend URLField and redeclare `default_validators` class
> property, which is too complex for that simple case.
>
> == Possible solutions ==
>
> - disable scheme validation and enable it only when user defines
> `allowed_schemes` directly in URLField (backward incompatible)
> - provide `allowed_schemes` as an optional argument for URLField
> `init()`
> - provide all valid schemes as default set (based on
> https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml)
>
> == Preffered solution ==
>
> Probide all (IANA) valid schemes as default together with possibility to
> change them by URLField `init()`.
New description:
== The problem ==
There are defined only four schemes as default: http,https,ftp,ftps.
But URL can have many many more valid schemes.
HTTP and FTP as good defaults are invalid - they are too limited.
There is no simple way to extend these schemes nor disable scheme
validation.
We must extend URLField and redeclare `default_validators` class property,
which is too complex for that simple case.
== Possible solutions ==
- disable scheme validation and enable it only when user defines
`allowed_schemes` directly in URLField (backward incompatible)
- provide `allowed_schemes` as an optional argument for URLField
`init()`
- provide all valid schemes as default set (based on
https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml)
== Prefered solution ==
Provide all (IANA) valid schemes as default together with possibility to
change them by URLField `init()`.
--
Comment:
I think we can rule out any backwards incompatible solutions such as
removing the validation or changing the default to all valid schemes. I
don't see a sufficient justification for breaking all sites relying on the
current behavior. You'll need to argue your rationale on the
DevelopersMailingList and get a consensus if you want that.
It seems to me that there are too many customization points on validators
to add a new model field argument for all of them (such as
`allowed_schemes` as you proposed). For example, there have also been
requests to customize the validator's regular expressions. It doesn't seem
clean to add a model field argument for each one of those validator
attributes.
I'd like to try for a more general solution to allow customizing the
`default_validators` as I described in #25594. I believe that would meet
the use case of this ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/25593#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.89267a1cf67345b4e389690439b953b0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
