From e8c3e12b14697c13b9ff885ee9274aab1727d330 Mon Sep 17 00:00:00 2001
From: Karthik Ramadugu <karthiksaidham109@gmail.com>
Date: Sun, 15 Feb 2026 00:13:49 -0500
Subject: [PATCH] fix hostname accepting values longer than 253 chars when they
 contain dots

Fixes #413

The hostname validator was only checking individual label lengths via
regex but had no overall length limit. Hostnames with dots that had
each label under 63 chars but total length over 253 would slip through.

Added a 253 character check on the host segment both with and without
a port, per RFC 1123. Added a test case for this.
---
 src/validators/hostname.py |  5 +++++
 tests/test_hostname.py     | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/src/validators/hostname.py b/src/validators/hostname.py
index bdf6bdb0..1c4f603c 100644
--- a/src/validators/hostname.py
+++ b/src/validators/hostname.py
@@ -114,6 +114,8 @@ def hostname(
         return False
 
     if may_have_port and (host_seg := _port_validator(value)):
+        if len(host_seg) > 253:
+            return False
         return (
             (_simple_hostname_regex().match(host_seg) if maybe_simple else False)
             or domain(host_seg, consider_tld=consider_tld, rfc_1034=rfc_1034, rfc_2782=rfc_2782)
@@ -121,6 +123,9 @@ def hostname(
             or (False if skip_ipv6_addr else ipv6(host_seg, cidr=False))
         )
 
+    if len(value) > 253:
+        return False
+
     return (
         (_simple_hostname_regex().match(value) if maybe_simple else False)
         or domain(value, consider_tld=consider_tld, rfc_1034=rfc_1034, rfc_2782=rfc_2782)
diff --git a/tests/test_hostname.py b/tests/test_hostname.py
index 6ff40406..fde616c7 100644
--- a/tests/test_hostname.py
+++ b/tests/test_hostname.py
@@ -40,6 +40,16 @@ def test_returns_true_on_valid_hostname(value: str, rfc_1034: bool, rfc_2782: bo
 @pytest.mark.parametrize(
     ("value", "rfc_1034", "rfc_2782"),
     [
+        # bad (hostname exceeding 253 chars)
+        (
+            "kld8MXQh6YalMqKRbfs895gMjW5T4p2EwToPoCSThPHHbXgmXc."
+            "kld8MXQh6YalMqKRbfs895gMjW5T4p2EwToPoCSThPHHbXgmXc."
+            "kld8MXQh6YalMqKRbfs895gMjW5T4p2EwToPoCSThPHHbXgmXc."
+            "kld8MXQh6YalMqKRbfs895gMjW5T4p2EwToPoCSThPHHbXgmXc."
+            "kld8MXQh6YalMqKRbfs895gMjW5T4p2EwToPoCSThPHHbXgmXcab",
+            False,
+            False,
+        ),
         # bad (simple hostname w/ optional ports)
         ("ubuntu-pc:443080", False, False),
         ("this-pc-is-sh*t", False, False),