From cdcf4164bec9dc09465424d7042c3f9d4f0f1fdc Mon Sep 17 00:00:00 2001
From: Tim Bell <timothybell@gmail.com>
Date: Tue, 24 Jul 2018 00:30:01 +1000
Subject: [PATCH] Fixed #29528 -- Made URLValidator reject invalid characters
 in the username and password.

---
 django/core/validators.py         | 2 +-
 tests/validators/invalid_urls.txt | 6 ++++++
 tests/validators/valid_urls.txt   | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/django/core/validators.py b/django/core/validators.py
index 92394a7eae..c1c9cd1c87 100644
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -94,7 +94,7 @@ class URLValidator(RegexValidator):
 
     regex = _lazy_re_compile(
         r'^(?:[a-z0-9\.\-\+]*)://'  # scheme is validated separately
-        r'(?:\S+(?::\S*)?@)?'  # user:pass authentication
+        r'(?:[^\s:@/]+(?::[^\s:@/]*)?@)?'  # user:pass authentication
         r'(?:' + ipv4_re + '|' + ipv6_re + '|' + host_re + ')'
         r'(?::\d{2,5})?'  # port
         r'(?:[/?#][^\s]*)?'  # resource path
diff --git a/tests/validators/invalid_urls.txt b/tests/validators/invalid_urls.txt
index 04a0b5fb1b..4a092034ff 100644
--- a/tests/validators/invalid_urls.txt
+++ b/tests/validators/invalid_urls.txt
@@ -57,3 +57,9 @@ http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa
 https://test.[com
+http://foo@bar@example.com
+http://foo/bar@example.com
+http://foo:bar:baz@example.com
+http://foo:bar@baz@example.com
+http://foo:bar/baz@example.com
+http://invalid-.com/?m=foo@example.com
diff --git a/tests/validators/valid_urls.txt b/tests/validators/valid_urls.txt
index 4bc8c03059..f79f948142 100644
--- a/tests/validators/valid_urls.txt
+++ b/tests/validators/valid_urls.txt
@@ -48,7 +48,7 @@ http://foo.bar/?q=Test%20URL-encoded%20stuff
 http://مثال.إختبار
 http://例子.测试
 http://उदाहरण.परीक्षा
-http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com
+http://-.~_!$&'()*+,;=%40:80%2f@example.com
 http://xn--7sbb4ac0ad0be6cf.xn--p1ai
 http://1337.net
 http://a.b-c.de