summaryrefslogtreecommitdiff
path: root/django/core/validators.py
AgeCommit message (Collapse)Author
2025-04-02Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report.
2025-01-08Fixed #36014 -- Supported international domains in EmailValidator.Chaitanya Rahalkar
2024-12-13Fixed #36007 -- Removed dead code from URLValidator.Mike Edmunds
The "Trivial case failed. Try for possible IDN domain" handling was obsoleted by ticket-20003, which adjusted the regular expressions to allow all international domain names (Refs #20003). Uses of `ul` were moved to DomainNameValidator in ticket-18119 (Refs #18119).
2024-10-17Fixed #35845 -- Updated DomainNameValidator to require entire string to be a ↵Justin Thurman
valid domain name. Bug in 4971a9afe5642569f3dcfcd3972ebb39e88dd457. Thank you to kazet for the report and Claude Paroz for the review.
2024-05-21Fixed #18119 -- Added a DomainNameValidator validator.Berker Peksag
Thanks Claude Paroz for the review. Co-authored-by: Nina Menezes <77671865+nmenezes0@users.noreply.github.com>
2023-11-24Fixed #34818 -- Prevented GenericIPAddressField from mutating error messages.Parth Verma
Co-authored-by: Parth Verma <parth.verma@gmail.com>
2023-10-28Fixed #34943 -- Made EmailValidator.__eq__() ignore domain_allowlist ordering.ksg
Signed-off-by: ksg97031 <ksg97031@gmail.com>
2023-10-24Fixed #34920 -- Made FileExtensionValidator.__eq__() ignore ↵ksg97031
allowed_extensions ordering.
2023-07-03Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and ↵Mariusz Felisiak
URLValidator. Thanks Seokchan Yoon for reports.
2023-06-16Fixed #34473 -- Fixed step validation for form fields with non-zero minimum ↵Jacob Rief
value.
2023-01-18Fixed #34233 -- Dropped support for Python 3.8 and 3.9.Mariusz Felisiak
2022-09-17Fixed #34014 -- Fixed DecimalValidator validating 0 in positive exponent ↵Kamil Turek
scientific notation. Thanks Shiplu Mokaddim for the report.
2022-05-12Fixed #32559 -- Added 'step_size’ to numeric form fields.Kapil Bansal
Co-authored-by: Jacob Rief <jacob.rief@uibk.ac.at>
2022-02-07Refs #33476 -- Refactored code to strictly match 88 characters line length.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-01-07Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate.Ad Timmering
2021-12-20Fixed #33367 -- Fixed URLValidator crash in some edge cases.mendespedro
2021-09-20Refs #31670 -- Removed whitelist argument and domain_whitelist attribute in ↵Mariusz Felisiak
EmailValidator per deprecation timeline.
2021-08-06Fixed typo in regex for IPv6 literals in EmailValidator.qimingmafan
2021-07-22Fixed #32930 -- Fixed URLValidator when port numbers < 10.Wu Haotian
2021-06-02Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.Mariusz Felisiak
validate_ipv4_address() was affected only on Python < 3.9.5, see [1]. URLValidator() uses a regular expressions and it was affected on all Python versions. [1] https://bugs.python.org/issue36384
2021-05-06Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being ↵Mariusz Felisiak
accepted in URLValidator on Python 3.9.5+. In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4
2021-01-04Fixed #32298 -- Fixed URLValidator hostname length validation.Akshat1Nar
URLValidator now validates the maximum length of a hostname without the userinfo and port.
2020-07-27Fixed #31806 -- Made validators include the value in ValidationErrors.Jon Dufresne
2020-07-27Removed redundant forms.DecimalField.validate() in favor of DecimalValidator.Jon Dufresne
2020-06-18Refs #31670 -- Renamed whitelist argument and attribute of EmailValidator.David Smith
2020-05-11Refs #30116 -- Simplified regex match group access with Match.__getitem__().Jon Dufresne
The method has been available since Python 3.6. The shorter syntax is also marginally faster.
2020-05-08Fixed #31548 -- Fixed URLValidator crash on non-strings.Yash Saini
2020-04-20Capitalized Unicode in docs, strings, and comments.Jon Dufresne
2020-02-28Fixed #31311 -- Removed unneeded escapes in validator regexes.kimbo
Special characters lose their special meaning inside sets of characters. "-" lose its special meaning if it's placed as the first or last character.
2019-10-29Refs #30899 -- Moved _lazy_re_compile() to the django.utils.regex_helper.Hasan Ramezani
2019-10-01Fixed #30651 -- Made __eq__() methods return NotImplemented for not ↵ElizabethU
implemented comparisons. Changed __eq__ to return NotImplemented instead of False if compared to an object of the same type, as is recommended by the Python data model reference. Now these models can be compared to ANY (or other objects with __eq__ overwritten) without returning False automatically.
2019-07-03Refs #30608 -- Added django.utils.encoding.punycode().Mariusz Felisiak
2019-06-28Fixed #30400 -- Improved typography of user facing strings.Jon Dufresne
Thanks Claude Paroz for assistance with translations.
2018-10-22Fixed #29860 -- Allowed BaseValidator to accept a callable limit_value.buzzi
2018-07-23Fixed #29528 -- Made URLValidator reject invalid characters in the username ↵Tim Bell
and password.
2018-04-19Ref #23919 -- Replaced some os.path usage with pathlib.Path.Tom
2018-01-30Fixed #29065 -- Made django.core.validators only load Pillow if needed.Collin Anderson
2018-01-10Fixed #29007 -- Fixed DecimalValidator crash on NaN, SNan, Inf, and Infinity ↵Fabio Bonelli
values.
2017-12-07Fixed #28906 -- Removed unnecessary bool() calls.Tim Graham
2017-09-27Fixed #28562 -- Fixed DecimalValidator handling of positive exponent ↵Josh Schneier
scientific notation.
2017-09-07Reverted "Fixed #27818 -- Replaced try/except/pass with contextlib.suppress()."Tim Graham
This reverts commit 550cb3a365dee4edfdd1563224d5304de2a57fda because try/except performs better.
2017-08-12Fixed #28201 -- Added ProhibitNullCharactersValidator and used it on ↵Alejandro Zamora
CharField form field.
2017-06-28Fixed #27818 -- Replaced try/except/pass with contextlib.suppress().Mads Jensen
2017-06-07Fixed #28165 -- Ignored case in FileExtensionValidator's allowed_extensions.Arne de Laat
2017-05-27Fixed #28249 -- Removed unnecessary dict.keys() calls.Jon Dufresne
iter(dict) is equivalent to iter(dict.keys()).
2017-05-25Made RegexValidator's inverse_match logic clearer.Edward D'Souza
2017-04-27Refs #27795 -- Replaced many force_text() with str()Claude Paroz
Thanks Tim Graham for the review.
2017-03-23Fixed #27952 -- Added translation hint for RegexValidator error message.Paul
2017-03-21Fixed #27945 -- Clarified that RegexValidator searches with the regex.seanfagan