commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Speakmon (JIRA)" <j...@apache.org>
Subject [jira] Commented: (VALIDATOR-248) Add an option to allow 'localhost' as a valid hostname part in the URL
Date Wed, 07 Nov 2007 00:13:50 GMT

    [ https://issues.apache.org/jira/browse/VALIDATOR-248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12540633
] 

Ben Speakmon commented on VALIDATOR-248:
----------------------------------------

DomainValidator does support labels with dashes in them: "my-machine", "this-domain.org",
etc., all work. Those are valid outside of URLs, for example in email addresses.

The question is how (or if) a URL with unqualified machine names or invalid TLDs should be
validated. I can see cases where, as you say, you'd want to allow machine names in URLs, but
I also think that shouldn't be allowed by default since you would expect machine name URLs
to not validate in security-sensitive contexts such as web form validation.

So right now it works like this in UrlValidator (omitting nonrelevant parts):

if authority doesn't validate in DomainValidator {
    if authority doesn't validate in InetAddressValidator {
        false
    }
}

I'm proposing changing it to this:

if ALLOW_MACHINE_NAMES && authority is in nameslist {
    true // "localhost", "my-machine", etc., specified by user will validate here, "blah"
will not
} else {
    // as above
}

This makes UrlValidator smart enough to handle machine name cases and also lets you do stuff
like http://my-machine.rack.colo/app/test, so you can even use illegal TLDs if you really
want.

DomainValidator, on the other hand, should not be changed. It has a very narrowly defined
scope: validating IANA-approved TLDs and domain names that use them. Since UrlValidator requires
functionality above and beyond that, it makes sense to put that logic in UrlValidator. Since
domain names (as opposed to hostnames/authorities in URLs and RFC 2396) are either valid or
not, it doesn't make sense to allow DomainValidator to loosen its rules.

> Add an option to allow 'localhost' as a valid hostname part in the URL
> ----------------------------------------------------------------------
>
>                 Key: VALIDATOR-248
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-248
>             Project: Commons Validator
>          Issue Type: Improvement
>          Components: Routines
>    Affects Versions: 1.3.1 Release
>            Reporter: Sergey Nebolsin
>            Assignee: Ben Speakmon
>             Fix For: 1.4
>
>         Attachments: commons-validator-allow-localhost-r592416.patch, commons-validator-allow-non-iana-tlds-r592416.patch
>
>
> Working on Grails we've discovered (http://jira.codehaus.org/browse/GRAILS-1692) that
commons-validator's UrlValidator rejects URLs like "http://localhost:8080/tau_gwi_00/clif/cb/19".
I looked at commons-validator sources and found that any URL which contains 'localhost' as
it's hostname part will be rejected.
> RFC-2396 (http://www.ietf.org/rfc/rfc2396.txt) accepts 'localhost' as a valid hostname
(appendix G.3 paragraph 2 says that explicitly).
> So, it would be good to have additional option (UrlValidator.ALLOW_LOCALHOST) which will
control UrlValidator behavior on localhost URLs.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message