You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2015/11/10 12:42:11 UTC

[jira] [Comment Edited] (VALIDATOR-363) UrlValidator rejects path having two or more successive dots

    [ https://issues.apache.org/jira/browse/VALIDATOR-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14576589#comment-14576589 ] 

Sebb edited comment on VALIDATOR-363 at 11/10/15 11:42 AM:
-----------------------------------------------------------

This issue occurred due to additional security checking done in isValidPath() method. 

"dot2Count" which was calculated with the intention of invalidating URLs with directory traversal pattern, counted "double dots" within the path section that are not actual directory traversals. 

Please check attached patch for the proposed solution and I have added relevant tests as well as additional comments to further describe  purpose of dot2Count.


was (Author: ayomawdb):
This issue occurred due to additional security checking done in isValidPath(-) method. 

"dot2Count" which was calculated with the intention of invalidating URLs with directory traversal pattern, counted "double dots" within the path section that are not actual directory traversals. 

Please check attached patch for the proposed solution and I have added relevant tests as well as additional comments to further describe  purpose of dot2Count.

> UrlValidator rejects path having two or more successive dots
> ------------------------------------------------------------
>
>                 Key: VALIDATOR-363
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-363
>             Project: Commons Validator
>          Issue Type: Bug
>    Affects Versions: 1.4.1 Release
>            Reporter: Stefan Pi
>         Attachments: VALIDATOR-363.patch
>
>
> Minmal example:
> {code}
> UrlValidator urlValidator = new UrlValidator();
> boolean isValidOneDot = urlValidator.isValid("http://www.example.org/hello.world/"); // evaluates to true
> boolean isValidTwoDots = urlValidator.isValid("http://www.example.org/hello..world/"); // evaluates to false
> {code}
> Real world example:
> {code}
> UrlValidator urlValidator = new UrlValidator();
> boolean isValidRealWord = urlValidator.isValid("http://forum.golem.de/sonstiges/trollwiese/apple-bashing-in-3...2...1...go/98,4089549,4089549,read.html#msg-4089549"); // evaluates to false
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)