sahvx655-wq opened a new pull request, #420:
URL: https://github.com/apache/commons-validator/pull/420

   I was checking how DomainValidator handles non-ASCII hosts and found 
unicodeToASCII passes the input straight to java.net.IDN.toASCII, whose 
nameprep step silently deletes default-ignorable and format code points before 
the label regex runs. A host carrying a soft hyphen, a zero-width space or 
joiner, or a byte order mark therefore collapses to a clean label and 
validates: isValid("exa​mple.com") and isValid("example.com") both return 
true, and UrlValidator.isValidAuthority shares the converter so it behaves the 
same way.
   
   The risk is that two byte-distinct strings validate as the same host, which 
is a spoofing vector and quietly poisons any allow-list built from validated 
input. None of these code points are legal in an RFC 1123 host name, and IDN's 
IDNA2003 normalisation never keeps one in a real label, so the fix scans the 
input in unicodeToASCII and returns it unconverted when it holds a Unicode 
FORMAT code point, leaving the existing label regex to reject it. Keeping the 
guard in the shared converter fixes DomainValidator and UrlValidator in one 
place rather than each caller, and legitimate IDN input is unaffected because 
its letters are not format characters.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to