django.git/tests/forms_tests/field_tests/test_urlfield.py, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-03-03T20:40:38Z Fixed #36923 -- Added tests for non-hierarchical URI schemes in URLField.to_python(). 2026-03-03T20:40:38Z Natalia 124304+nessita@users.noreply.github.com 2026-03-03T15:31:04Z urn:sha1:4b6c998301fedec279ec97b6547e67c3e88b7ff0 Follow up to 951ffb3832cd83ba672c1e3deae2bda128eb9cca. Fixed CVE-2026-25673 -- Simplified URLField scheme detection. 2026-03-03T12:08:46Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:951ffb3832cd83ba672c1e3deae2bda128eb9cca This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Refs #34380 -- Changed the URLField default scheme to https and removed FORMS_URLFIELD_ASSUME_HTTPS per deprecation timeline. 2025-01-15T21:28:37Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-12T16:39:58Z urn:sha1:9a3f86e96009c1137b286f6d579b9d812a0dee69 Fixed #35666 -- Documented stacklevel usage and testing, and adjusted test suite accordingly. 2024-08-28T14:44:05Z Simon Charette charette.s@gmail.com 2024-08-09T17:03:24Z urn:sha1:57307bbc7d88927989cf5b314f16d6e13ade04e6 Over the years we've had multiple instances of hit and misses when emitting warnings: either setting the wrong stacklevel or not setting it at all. This work adds assertions for the existing warnings that were declaring the correct stacklevel, but were lacking tests for it. Refs #34380 -- Added FORMS_URLFIELD_ASSUME_HTTPS transitional setting. 2023-11-28T19:04:21Z Mariusz Felisiak felisiak.mariusz@gmail.com 2023-11-28T19:04:21Z urn:sha1:a4931cd75a1780923b02e43475ba5447df3adb31 This allows early adoption of the new default "https". Refs #34986 -- Fixed some test assertions for PyPy. 2023-11-28T05:19:38Z Nick Pope nick@nickpope.me.uk 2023-11-21T15:11:58Z urn:sha1:baf705f34a8c8977d042ce43c71f508f9ca4f8ce These failures were due to minor inconsistencies or implementation differences between CPython and PyPy. Fixed #34380 -- Allowed specifying a default URL scheme in forms.URLField. 2023-04-28T04:58:10Z Coen van der Kamp coen@fourdigits.nl 2023-03-08T19:12:34Z urn:sha1:7bbbadc69383f0a2b99253e153b974f8783e876d This also deprecates "http" as the default scheme. Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Fixed #33367 -- Fixed URLValidator crash in some edge cases. 2021-12-20T06:30:22Z mendespedro windowsxpedro@gmail.com 2021-12-15T14:55:19Z urn:sha1:e8b4feddc34ffe5759ec21da8fa027e86e653f1c Used subTest() in forms.URLField() tests. 2021-12-16T05:35:44Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-12-16T05:35:44Z urn:sha1:882647a82cebb97cd786a08c013714cfea9c1aed