My changes to the isValidPath() method cause the current checks for ".." combinations to break.

I have worked out a pattern to check that any path containing ".." must be enclosed by slashes, i.e.

/../

or

/..

However I'm not certain whether it is valid to have the path start with "..", e.g.

http://www.website.com/..

Which I have actually seen in use on the web.

Also questionable is whether ".." is allowed any other combination, i.e.

http://www.website.com/dum..dum/

or

http://www.website.com/..file.html

Any help would be appreciated!
Thanks
Adam




On 04/02/2004 04:07 AM [EMAIL PROTECTED] wrote:
The URLvalidator was actually designed to be a general URI
validator. It's been a while since I used it but I believe
it should be able to validate jdbc:oracle://localhost:3050/mydatabase ?


I believe the scheme is optional.

-Rob



-----Original Message-----
From: Richard Bywater [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 1, 2004 10:06 PM
To: 'Struts Developers List'
Subject: Re: URL validation

If we're talking URLs aren't we looking at the wrong RFC? RFC1738 has this section:

3.3. HTTP

  The HTTP URL scheme is used to designate Internet resources
  accessible using HTTP (HyperText Transfer Protocol).

  The HTTP protocol is specified elsewhere. This specification only
  describes the syntax of HTTP URLs.

An HTTP URL takes the form:

http://<host>:<port>/<path>?<searchpart>

  where <host> and <port> are as described in Section 3.1. If :<port>
  is omitted, the port defaults to 80.  No user name or password is
  allowed.  <path> is an HTTP selector, and <searchpart> is a query
  string. The <path> is optional, as is the <searchpart> and its
  preceding "?". If neither <path> nor <searchpart> is present, the "/"
  may also be omitted.

  Within the <path> and <searchpart> components, "/", ";", "?" are
  reserved.  The "/" character may be used within HTTP to designate a
  hierarchical structure.


It states that path is optional therefore it would appear to me that http://<host>/?<searchpath> is valid.


If we're actually talking URIs my apologies :)

Richard.

Adam Hardy wrote:


I thought that a slash on the end of a web-address denoted that you were requesting the default resource at that URI.

However I guess that is a very HTTP-centric point of view.

So if the RFC leaves it open to interpretation, what does one do? Veer on the side of leniency?

Adam


On 04/01/2004 07:50 PM David Morris wrote:



Are you reading something into the spec? It seems like they are
referring to a part of the URL. If not, I am wondering why the RFC shows
examples in section E that do end in a slash.

"In practice, URI are delimited in a variety of ways, but usually
  within double-quotes "http://test.com/";, angle brackets
  <http://test.com/>, or just using whitespace

                            http://test.com/
  These wrappers do not form part of the URI."

David Morris




--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
struts 1.2 + tomcat 5.0.19 + java 1.4.2
Linux 2.4.20 Debian


--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to