I have worked out a pattern to check that any path containing ".." must be enclosed by slashes, i.e.
/../
or
/..
However I'm not certain whether it is valid to have the path start with "..", e.g.
http://www.website.com/..
Which I have actually seen in use on the web.
Also questionable is whether ".." is allowed any other combination, i.e.
http://www.website.com/dum..dum/
or
http://www.website.com/..file.html
Any help would be appreciated! Thanks Adam
On 04/02/2004 04:07 AM [EMAIL PROTECTED] wrote:
The URLvalidator was actually designed to be a general URI
validator. It's been a while since I used it but I believe
it should be able to validate jdbc:oracle://localhost:3050/mydatabase ?
I believe the scheme is optional.
-Rob
-----Original Message----- From: Richard Bywater [mailto:[EMAIL PROTECTED] Sent: Thursday, April 1, 2004 10:06 PM To: 'Struts Developers List' Subject: Re: URL validation
If we're talking URLs aren't we looking at the wrong RFC? RFC1738 has this section:
3.3. HTTP
The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.
An HTTP URL takes the form:
http://<host>:<port>/<path>?<searchpart>
where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed. <path> is an HTTP selector, and <searchpart> is a query string. The <path> is optional, as is the <searchpart> and its preceding "?". If neither <path> nor <searchpart> is present, the "/" may also be omitted.
Within the <path> and <searchpart> components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.
It states that path is optional therefore it would appear to me that http://<host>/?<searchpath> is valid.
If we're actually talking URIs my apologies :)
Richard.
Adam Hardy wrote:
I thought that a slash on the end of a web-address denoted that you were requesting the default resource at that URI.
However I guess that is a very HTTP-centric point of view.
So if the RFC leaves it open to interpretation, what does one do? Veer on the side of leniency?
Adam
On 04/01/2004 07:50 PM David Morris wrote:
Are you reading something into the spec? It seems like they are referring to a part of the URL. If not, I am wondering why the RFC shows examples in section E that do end in a slash.
"In practice, URI are delimited in a variety of ways, but usually within double-quotes "http://test.com/";, angle brackets <http://test.com/>, or just using whitespace
http://test.com/ These wrappers do not form part of the URI."
David Morris
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.2 + tomcat 5.0.19 + java 1.4.2 Linux 2.4.20 Debian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
