Closes #21720: Improve validation of URLs containing HTTP basic authentication (#21822)

Fixes #21720
2026-04-04 16:37:15 +02:00 · 2026-04-02 18:42:06 +02:00
parent a06a300913
commit 5ad4e95207
1 changed files with 5 additions and 5 deletions
--- a/netbox/utilities/validators.py
+++ b/netbox/utilities/validators.py
@@ -31,11 +31,11 @@ class EnhancedURLValidator(URLValidator):
    fqdn_re = URLValidator.hostname_re + URLValidator.domain_re + URLValidator.tld_re
    host_res = [URLValidator.ipv4_re, URLValidator.ipv6_re, fqdn_re, URLValidator.hostname_re]
    regex = _lazy_re_compile(
-        r'^(?:[a-z0-9\.\-\+]*)://'          # Scheme (enforced separately)
-        r'(?:\S+(?::\S*)?@)?'               # HTTP basic authentication
-        r'(?:' + '|'.join(host_res) + ')'   # IPv4, IPv6, FQDN, or hostname
-        r'(?::\d{1,5})?'                    # Port number
-        r'(?:[/?#][^\s]*)?'                 # Path
+        r'^(?:[a-z0-9\.\-\+]*)://'           # Scheme (enforced separately)
+        r'(?:[^\s:@/]+(?::[^\s:@/]*)?@)?'    # HTTP basic authentication
+        r'(?:' + '|'.join(host_res) + ')'    # IPv4, IPv6, FQDN, or hostname
+        r'(?::\d{1,5})?'                     # Port number
+        r'(?:[/?#][^\s]*)?'                  # Path
        r'\Z', re.IGNORECASE)
    schemes = None