You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Adrian Crum <ad...@sandglass-software.com> on 2015/09/25 23:18:43 UTC
[validator] Inconsistent behavior in UrlValidator
I was just looking at the UrlValidator test and I noticed that localhost
is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is not
allowed if the ALLOW_LOCAL_URLS flag is not set.
If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1)
URL will validate. It seems to me that it shouldn't - to be consistent
with the localhost behavior.
What do you think?
--
Adrian Crum
Sandglass Software
www.sandglass-software.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [validator] Inconsistent behavior in UrlValidator
Posted by Benedikt Ritter <be...@gmail.com>.
2015-09-28 18:48 GMT+02:00 sebb <se...@gmail.com>:
> The java.net.InetAddress class has a method: isLoopbackAddress()
>
> We should use whatever validation is provided by the JDK, not try and
> invent our own
>
+1
>
> On 27 September 2015 at 18:21, Kristian Rosenvold <kr...@apache.org>
> wrote:
> > Yeah, as long as the full range is validated it should be fine.
> >
> > K
> >
> >
> > 2015-09-27 19:17 GMT+02:00 Adrian Crum <
> adrian.crum@sandglass-software.com>:
> >> The address range 127.0.0.0 to 127.255.255.255 is reserved for loopback
> >> testing. It seems pretty straightforward to me.
> >>
> >> Adrian Crum
> >> Sandglass Software
> >> www.sandglass-software.com
> >>
> >> On 9/27/2015 8:07 AM, Kristian Rosenvold wrote:
> >>>
> >>> 127.0.0.1 is not always the address for localhost. This is a can of
> worms
> >>> big enough to drive a medium-sized container ship into
> >>>
> >>> Kristian
> >>> 27. sep. 2015 4.13 p.m. skrev "Benedikt Ritter" <br...@apache.org>:
> >>>
> >>>> Hm... since localhost is usually only an alias for 127.0.0.1 it
> doesn't
> >>>> really make sense to allow one but not the other.
> >>>>
> >>>> 2015-09-25 23:18 GMT+02:00 Adrian Crum
> >>>> <adrian.crum@sandglass-software.com
> >>>>>
> >>>>> :
> >>>>
> >>>>
> >>>>> I was just looking at the UrlValidator test and I noticed that
> localhost
> >>>>> is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is
> not
> >>>>> allowed if the ALLOW_LOCAL_URLS flag is not set.
> >>>>>
> >>>>> If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1)
> >>>>> URL
> >>>>> will validate. It seems to me that it shouldn't - to be consistent
> with
> >>>>
> >>>> the
> >>>>>
> >>>>> localhost behavior.
> >>>>>
> >>>>> What do you think?
> >>>>>
> >>>>> --
> >>>>> Adrian Crum
> >>>>> Sandglass Software
> >>>>> www.sandglass-software.com
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >>>>> For additional commands, e-mail: dev-help@commons.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> http://people.apache.org/~britter/
> >>>> http://www.systemoutprintln.de/
> >>>> http://twitter.com/BenediktRitter
> >>>> http://github.com/britter
> >>>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [validator] Inconsistent behavior in UrlValidator
Posted by sebb <se...@gmail.com>.
The java.net.InetAddress class has a method: isLoopbackAddress()
We should use whatever validation is provided by the JDK, not try and
invent our own
On 27 September 2015 at 18:21, Kristian Rosenvold <kr...@apache.org> wrote:
> Yeah, as long as the full range is validated it should be fine.
>
> K
>
>
> 2015-09-27 19:17 GMT+02:00 Adrian Crum <ad...@sandglass-software.com>:
>> The address range 127.0.0.0 to 127.255.255.255 is reserved for loopback
>> testing. It seems pretty straightforward to me.
>>
>> Adrian Crum
>> Sandglass Software
>> www.sandglass-software.com
>>
>> On 9/27/2015 8:07 AM, Kristian Rosenvold wrote:
>>>
>>> 127.0.0.1 is not always the address for localhost. This is a can of worms
>>> big enough to drive a medium-sized container ship into
>>>
>>> Kristian
>>> 27. sep. 2015 4.13 p.m. skrev "Benedikt Ritter" <br...@apache.org>:
>>>
>>>> Hm... since localhost is usually only an alias for 127.0.0.1 it doesn't
>>>> really make sense to allow one but not the other.
>>>>
>>>> 2015-09-25 23:18 GMT+02:00 Adrian Crum
>>>> <adrian.crum@sandglass-software.com
>>>>>
>>>>> :
>>>>
>>>>
>>>>> I was just looking at the UrlValidator test and I noticed that localhost
>>>>> is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is not
>>>>> allowed if the ALLOW_LOCAL_URLS flag is not set.
>>>>>
>>>>> If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1)
>>>>> URL
>>>>> will validate. It seems to me that it shouldn't - to be consistent with
>>>>
>>>> the
>>>>>
>>>>> localhost behavior.
>>>>>
>>>>> What do you think?
>>>>>
>>>>> --
>>>>> Adrian Crum
>>>>> Sandglass Software
>>>>> www.sandglass-software.com
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> http://people.apache.org/~britter/
>>>> http://www.systemoutprintln.de/
>>>> http://twitter.com/BenediktRitter
>>>> http://github.com/britter
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [validator] Inconsistent behavior in UrlValidator
Posted by Kristian Rosenvold <kr...@apache.org>.
Yeah, as long as the full range is validated it should be fine.
K
2015-09-27 19:17 GMT+02:00 Adrian Crum <ad...@sandglass-software.com>:
> The address range 127.0.0.0 to 127.255.255.255 is reserved for loopback
> testing. It seems pretty straightforward to me.
>
> Adrian Crum
> Sandglass Software
> www.sandglass-software.com
>
> On 9/27/2015 8:07 AM, Kristian Rosenvold wrote:
>>
>> 127.0.0.1 is not always the address for localhost. This is a can of worms
>> big enough to drive a medium-sized container ship into
>>
>> Kristian
>> 27. sep. 2015 4.13 p.m. skrev "Benedikt Ritter" <br...@apache.org>:
>>
>>> Hm... since localhost is usually only an alias for 127.0.0.1 it doesn't
>>> really make sense to allow one but not the other.
>>>
>>> 2015-09-25 23:18 GMT+02:00 Adrian Crum
>>> <adrian.crum@sandglass-software.com
>>>>
>>>> :
>>>
>>>
>>>> I was just looking at the UrlValidator test and I noticed that localhost
>>>> is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is not
>>>> allowed if the ALLOW_LOCAL_URLS flag is not set.
>>>>
>>>> If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1)
>>>> URL
>>>> will validate. It seems to me that it shouldn't - to be consistent with
>>>
>>> the
>>>>
>>>> localhost behavior.
>>>>
>>>> What do you think?
>>>>
>>>> --
>>>> Adrian Crum
>>>> Sandglass Software
>>>> www.sandglass-software.com
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>
>>>>
>>>
>>>
>>> --
>>> http://people.apache.org/~britter/
>>> http://www.systemoutprintln.de/
>>> http://twitter.com/BenediktRitter
>>> http://github.com/britter
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [validator] Inconsistent behavior in UrlValidator
Posted by Adrian Crum <ad...@sandglass-software.com>.
The address range 127.0.0.0 to 127.255.255.255 is reserved for loopback
testing. It seems pretty straightforward to me.
Adrian Crum
Sandglass Software
www.sandglass-software.com
On 9/27/2015 8:07 AM, Kristian Rosenvold wrote:
> 127.0.0.1 is not always the address for localhost. This is a can of worms
> big enough to drive a medium-sized container ship into
>
> Kristian
> 27. sep. 2015 4.13 p.m. skrev "Benedikt Ritter" <br...@apache.org>:
>
>> Hm... since localhost is usually only an alias for 127.0.0.1 it doesn't
>> really make sense to allow one but not the other.
>>
>> 2015-09-25 23:18 GMT+02:00 Adrian Crum <adrian.crum@sandglass-software.com
>>> :
>>
>>> I was just looking at the UrlValidator test and I noticed that localhost
>>> is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is not
>>> allowed if the ALLOW_LOCAL_URLS flag is not set.
>>>
>>> If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1) URL
>>> will validate. It seems to me that it shouldn't - to be consistent with
>> the
>>> localhost behavior.
>>>
>>> What do you think?
>>>
>>> --
>>> Adrian Crum
>>> Sandglass Software
>>> www.sandglass-software.com
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>>
>>
>>
>> --
>> http://people.apache.org/~britter/
>> http://www.systemoutprintln.de/
>> http://twitter.com/BenediktRitter
>> http://github.com/britter
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [validator] Inconsistent behavior in UrlValidator
Posted by Kristian Rosenvold <kr...@apache.org>.
127.0.0.1 is not always the address for localhost. This is a can of worms
big enough to drive a medium-sized container ship into
Kristian
27. sep. 2015 4.13 p.m. skrev "Benedikt Ritter" <br...@apache.org>:
> Hm... since localhost is usually only an alias for 127.0.0.1 it doesn't
> really make sense to allow one but not the other.
>
> 2015-09-25 23:18 GMT+02:00 Adrian Crum <adrian.crum@sandglass-software.com
> >:
>
> > I was just looking at the UrlValidator test and I noticed that localhost
> > is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is not
> > allowed if the ALLOW_LOCAL_URLS flag is not set.
> >
> > If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1) URL
> > will validate. It seems to me that it shouldn't - to be consistent with
> the
> > localhost behavior.
> >
> > What do you think?
> >
> > --
> > Adrian Crum
> > Sandglass Software
> > www.sandglass-software.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
> http://twitter.com/BenediktRitter
> http://github.com/britter
>
Re: [validator] Inconsistent behavior in UrlValidator
Posted by Benedikt Ritter <br...@apache.org>.
Hm... since localhost is usually only an alias for 127.0.0.1 it doesn't
really make sense to allow one but not the other.
2015-09-25 23:18 GMT+02:00 Adrian Crum <ad...@sandglass-software.com>:
> I was just looking at the UrlValidator test and I noticed that localhost
> is allowed in the URL if the ALLOW_LOCAL_URLS flag is set, and it is not
> allowed if the ALLOW_LOCAL_URLS flag is not set.
>
> If the ALLOW_LOCAL_URLS is not set, a loopback IP address (127.0.0.1) URL
> will validate. It seems to me that it shouldn't - to be consistent with the
> localhost behavior.
>
> What do you think?
>
> --
> Adrian Crum
> Sandglass Software
> www.sandglass-software.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
--
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter