reta commented on code in PR #1483:
URL: https://github.com/apache/cxf/pull/1483#discussion_r1369414837
##########
rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/Rfc3986UriValidator.java:
##########
@@ -39,21 +39,28 @@ final class Rfc3986UriValidator {
private static final String LAST = "#(.*)";
- private static final Pattern HTTP_URL = Pattern.compile("^" + SCHEME
+ private static final Pattern HTTP_URL = Pattern.compile("^" + SCHEME
+ "(//(" + USERINFO + "@)?" + HOST + ")?" + PATH
+ "(\\?" + QUERY + ")?" + "(" + LAST + ")?");
private Rfc3986UriValidator() {
}
/**
- * Validate the HTTP URL according to
https://datatracker.ietf.org/doc/html/rfc3986#appendix-B
+ * Validate the HTTP URL according to
https://datatracker.ietf.org/doc/html/rfc3986#appendix-B
* @param uri HTTP schemed URI to validate
* @return "true" if URI matches RFC-3986 validation rules, "false"
otherwise
*/
public static boolean validate(final URI uri) {
// Only validate the HTTP(s) URIs
- if (HttpUtils.isHttpScheme(uri.getScheme())) {
+ if (HttpUtils.isHttpScheme(uri.getScheme())) {
+ // If URI.getHost() returns a host name, validate it and
+ // skip the expensive regular expression logic.
+ final String uriHost = uri.getHost();
Review Comment:
@WhiteCat22 the reason for this validator to exists sadly is the fact that
Java's URI is not RFC-3986 complaint. The `host` is not trustful source here
hence we validate it against the pattern.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
