Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • aurweb aurweb
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 89
    • Issues 89
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 14
    • Merge requests 14
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

Admin message

Due to an influx of spam, we have had to temporarily disable account registrations. Please write an email to accountsupport@archlinux.org, with your desired username, if you want to get access. Sorry for the inconvenience.

  • Arch LinuxArch Linux
  • aurwebaurweb
  • Issues
  • #250

[Bug] Homepage URL inconsistencies and crash in urllib.parse.urlparse

Description

The URL validation of the homepage is less strict in FastAPI, allowing things like https://aa... with longer domain names than is valid and other such nonsense. None of this is particularly harmful except for some cases that cause urlparse from urllib.parse to throw a ValueError like unmatched [] that you see in IPv6 addresses. The valid_homepage function should catch these and return False disallowing them.

Reproduction

Try and set your Homepage URL on https://localhost:8444/account/uncoupling/edit to https://[.

Logs



Traceback (most recent call last):
  File "/aurweb/./aurweb/asgi.py", line 197, in add_security_headers
    response = await util.error_or_result(call_next, request)
  File "/aurweb/./aurweb/util.py", line 228, in error_or_result
    response = await next(*args, **kwargs)
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 44, in call_next
    raise app_exc
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 34, in coro
    await self.app(scope, request.receive, send_stream.send)
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 63, in __call__
    response = await self.dispatch_func(request, call_next)
  File "/usr/lib/python3.10/site-packages/prometheus_fastapi_instrumentator/instrumentation.py", line 172, in dispatch_middleware
    raise e from None
  File "/usr/lib/python3.10/site-packages/prometheus_fastapi_instrumentator/instrumentation.py", line 169, in dispatch_middleware
    response = await call_next(request)
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 44, in call_next
    raise app_exc
  File "/usr/lib/python3.10/site-packages/starlette/middleware/base.py", line 34, in coro
    await self.app(scope, request.receive, send_stream.send)
  File "/usr/lib/python3.10/site-packages/starlette/exceptions.py", line 82, in __call__
    raise exc
  File "/usr/lib/python3.10/site-packages/starlette/exceptions.py", line 71, in __call__
    await self.app(scope, receive, sender)
  File "/usr/lib/python3.10/site-packages/starlette/routing.py", line 656, in __call__
    await route.handle(scope, receive, send)
  File "/usr/lib/python3.10/site-packages/starlette/routing.py", line 259, in handle
    await self.app(scope, receive, send)
  File "/usr/lib/python3.10/site-packages/starlette/routing.py", line 61, in app
    response = await func(request)
  File "/usr/lib/python3.10/site-packages/fastapi/routing.py", line 226, in app
    raw_response = await run_endpoint_function(
  File "/usr/lib/python3.10/site-packages/fastapi/routing.py", line 159, in run_endpoint_function
    return await dependant.call(**values)
  File "/aurweb/./aurweb/auth/__init__.py", line 181, in wrapper
    return await _auth_required(True)(func)(*args, **kwargs)
  File "/aurweb/./aurweb/auth/__init__.py", line 151, in wrapper
    return await func(request, *args, **kwargs)
  File "/aurweb/./aurweb/routers/accounts.py", line 402, in account_edit_post
    ok, errors = process_account_form(request, user, args)
  File "/aurweb/./aurweb/routers/accounts.py", line 150, in process_account_form
    check(**args, request=request, user=user, _=_)
  File "/aurweb/./aurweb/users/validate.py", line 98, in invalid_homepage
    if HP and not util.valid_homepage(HP):
  File "/aurweb/./aurweb/util.py", line 66, in valid_homepage
    parts = urlparse(homepage)
  File "/usr/lib/python3.10/urllib/parse.py", line 393, in urlparse
    splitresult = urlsplit(url, scheme, allow_fragments)
  File "/usr/lib/python3.10/urllib/parse.py", line 484, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

Version(s)

FastAPI.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking