Re: [Django] #33365: Functionality change in 3.2.10 for re_path().

[Django]

#33365: Functionality change in 3.2.10 for re_path().
-------------------------------------+-------------------------------------
     Reporter:  Pkt                  |                    Owner:  nobody
         Type:  Bug                  |                   Status:  closed
    Component:  Core (URLs)          |                  Version:  3.2
     Severity:  Normal               |               Resolution:  invalid
     Keywords:  3.2.10 resolvers     |             Triage Stage:
  re_path                            |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Florian Apolloner):

 > It is a big enough change that it should at least have been noted
 explicitly in the release notes.

 Agreed, if we would have known at that point that those URLs are broken we
 would have noted or fixed it. Sadly it is always easier to note this after
 the fact and with security releases we generally have less review (or at
 least reviews from a rather homogenous group).

 > And, IMHO, it's a mistake (I'll admit to not having read the CVE that
 prompted this change).

 Well the most common (documented as also what our tests cover) is having
 urls like `re_path(r'^…$')` -- while it is possible to drop `^` and `$` I
 think it is rather uncommon which is why we didn't realize it. That said,
 because a simple work-around does exist, I think we maybe should keep it
 like it is currently. After all one usually wants to match the whole URL.
 I'd even go as far as to issue a warning if `^` is not present.

 Out of curiosity. What did you validate with that view? Ie wouldn't have
 `r"^(?P<prefix>.*)/validate$"` made more sense? I am not saying you are
 doing anything wrong but merely trying to understand which other issues
 people could run into -- so I need to know the usecases.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33365#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.83adfeb27d62fc9fa7f7da27c02d147c%40djangoproject.com.