Copilot commented on code in PR #383:
URL: https://github.com/apache/commons-validator/pull/383#discussion_r3408173797
##########
src/main/java/org/apache/commons/validator/routines/UrlValidator.java:
##########
@@ -476,6 +479,14 @@ protected boolean isValidFragment(final String fragment) {
return isOff(NO_FRAGMENTS);
}
+ private String decodePath(final String path) {
+ try {
+ return URLDecoder.decode(path, StandardCharsets.UTF_8.name());
+ } catch (final UnsupportedEncodingException e) {
+ throw new RuntimeException(e); // UTF-8 is always supported
+ }
+ }
Review Comment:
URLDecoder is intended for application/x-www-form-urlencoded and will
translate '+' to space, which is not correct for URL *path* decoding and can
change the meaning of valid paths (e.g., "/foo+bar"). Preserve literal '+'
before decoding (and prefer an IllegalStateException for the unreachable UTF-8
case).
##########
src/main/java/org/apache/commons/validator/routines/UrlValidator.java:
##########
@@ -489,13 +500,13 @@ protected boolean isValidPath(final String path) {
try {
// Don't omit host otherwise leading path may be taken as host if
it starts with //
- final URI uri = new URI(null, "localhost", path, null);
+ final URI uri = new URI(null, "localhost", decodePath(path), null);
final String norm = uri.normalize().getPath();
Review Comment:
Path traversal is checked on the decoded path, but the ALLOW_2_SLASHES
enforcement still counts "//" on the *raw* path. After this change,
percent-encoded slashes (e.g., "%2F%2F") can produce consecutive slashes after
decoding while bypassing the raw "//" check. Count consecutive slashes on the
same decoded value used for normalization.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
