Skip to content
GitLab

[Bug] Homepage URL inconsistencies and crash in urllib.parse.urlparse

Description

The URL validation of the homepage is less strict in FastAPI, allowing things like https://aa... with longer domain names than is valid and other such nonsense. None of this is particularly harmful except for some cases that cause urlparse from urllib.parse to throw a ValueError like unmatched [] that you see in IPv6 addresses. The valid_homepage function should catch these and return False disallowing them.

Reproduction

Try and set your Homepage URL on https://localhost:8444/account/uncoupling/edit to https://[.

Logs



Traceback (most recent call last):
  File "/aurweb/./aurweb/asgi.py", line 197, in add_security_headers
    response = await util.error_or_result(call_next, request)
  File "/aurweb/./aurweb/util.py", line 228, in error_or_result
    response = await next(*args, **kwargs)
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 44, in call_next
    raise app_exc
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 34, in coro
    await self.app(scope, request.receive, send_stream.send)
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 63, in __call__
    response = await self.dispatch_func(request, call_next)
  File "/usr/lib/python3.10/site-packages/prometheus_fastapi_instrumentator/instrumentation.py", line 172, in dispatch_middleware
    raise e from None
  File "/usr/lib/python3.10/site-packages/prometheus_fastapi_instrumentator/instrumentation.py", line 169, in dispatch_middleware
    response = await call_next(request)
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 44, in call_next
    raise app_exc
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 34, in coro
    await self.app(scope, request.receive, send_stream.send)
  File "/usr/lib/python3.10/site-packages/starlette/exceptions.py", line 82, in __call__
    raise exc
  File "/usr/lib/python3.10/site-packages/starlette/exceptions.py", line 71, in __call__
    await self.app(scope, receive, sender)
  File "/usr/lib/python3.10/site-packages/starlette/routing.py", line 656, in __call__
    await route.handle(scope, receive, send)
  File "/usr/lib/python3.10/site-packages/starlette/routing.py", line 259, in handle
    await self.app(scope, receive, send)
  File "/usr/lib/python3.10/site-packages/starlette/routing.py", line 61, in app
    response = await func(request)
  File "/usr/lib/python3.10/site-packages/fastapi/routing.py", line 226, in app
    raw_response = await run_endpoint_function(
  File "/usr/lib/python3.10/site-packages/fastapi/routing.py", line 159, in run_endpoint_function
    return await dependant.call(**values)
  File "/aurweb/./aurweb/auth/__init__.py", line 181, in wrapper
    return await _auth_required(True)(func)(*args, **kwargs)
  File "/aurweb/./aurweb/auth/__init__.py", line 151, in wrapper
    return await func(request, *args, **kwargs)
  File "/aurweb/./aurweb/routers/accounts.py", line 402, in account_edit_post
    ok, errors = process_account_form(request, user, args)
  File "/aurweb/./aurweb/routers/accounts.py", line 150, in process_account_form
    check(**args, request=request, user=user, _=_)
  File "/aurweb/./aurweb/users/validate.py", line 98, in invalid_homepage
    if HP and not util.valid_homepage(HP):
  File "/aurweb/./aurweb/util.py", line 66, in valid_homepage
    parts = urlparse(homepage)
  File "/usr/lib/python3.10/urllib/parse.py", line 393, in urlparse
    splitresult = urlsplit(url, scheme, allow_fragments)
  File "/usr/lib/python3.10/urllib/parse.py", line 484, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

Version(s)

FastAPI.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information