commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ayoma Gayan Wijethunga (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (VALIDATOR-363) UrlValidator rejects path having two or more successive dots
Date Mon, 08 Jun 2015 04:29:00 GMT

     [ https://issues.apache.org/jira/browse/VALIDATOR-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ayoma Gayan Wijethunga updated VALIDATOR-363:
---------------------------------------------
    Attachment: VALIDATOR-363.patch

This issue occurred due to additional security checking done in isValidPath(-) method. 

"dot2Count" which was calculated with the intention of invalidating URLs with directory traversal
pattern, counted "double dots" within the path section that are not actual directory traversals.


Please check attached patch for the proposed solution and I have added relevant tests as well
as additional comments to further describe  purpose of dot2Count.

> UrlValidator rejects path having two or more successive dots
> ------------------------------------------------------------
>
>                 Key: VALIDATOR-363
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-363
>             Project: Commons Validator
>          Issue Type: Bug
>    Affects Versions: 1.4.1 Release
>            Reporter: Stefan Pi
>         Attachments: VALIDATOR-363.patch
>
>
> Minmal example:
> {code}
> UrlValidator urlValidator = new UrlValidator();
> boolean isValidOneDot = urlValidator.isValid("http://www.example.org/hello.world/");
// evaluates to true
> boolean isValidTwoDots = urlValidator.isValid("http://www.example.org/hello..world/");
// evaluates to false
> {code}
> Real world example:
> {code}
> UrlValidator urlValidator = new UrlValidator();
> boolean isValidRealWord = urlValidator.isValid("http://forum.golem.de/sonstiges/trollwiese/apple-bashing-in-3...2...1...go/98,4089549,4089549,read.html#msg-4089549");
// evaluates to false
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message