[jira] [Comment Edited] (VALIDATOR-363) UrlValidator rejects path having two or more successive dots

Tue, 10 Nov 2015 03:42:58 -0800 

    [ 
https://issues.apache.org/jira/browse/VALIDATOR-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14576589#comment-14576589
 ] 

Sebb edited comment on VALIDATOR-363 at 11/10/15 11:42 AM:
-----------------------------------------------------------

This issue occurred due to additional security checking done in isValidPath() 
method. 

"dot2Count" which was calculated with the intention of invalidating URLs with 
directory traversal pattern, counted "double dots" within the path section that 
are not actual directory traversals. 

Please check attached patch for the proposed solution and I have added relevant 
tests as well as additional comments to further describe  purpose of dot2Count.


was (Author: ayomawdb):
This issue occurred due to additional security checking done in isValidPath(-) 
method. 

"dot2Count" which was calculated with the intention of invalidating URLs with 
directory traversal pattern, counted "double dots" within the path section that 
are not actual directory traversals. 

Please check attached patch for the proposed solution and I have added relevant 
tests as well as additional comments to further describe  purpose of dot2Count.

> UrlValidator rejects path having two or more successive dots
> ------------------------------------------------------------
>
>                 Key: VALIDATOR-363
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-363
>             Project: Commons Validator
>          Issue Type: Bug
>    Affects Versions: 1.4.1 Release
>            Reporter: Stefan Pi
>         Attachments: VALIDATOR-363.patch
>
>
> Minmal example:
> {code}
> UrlValidator urlValidator = new UrlValidator();
> boolean isValidOneDot = 
> urlValidator.isValid("http://www.example.org/hello.world/";); // evaluates to 
> true
> boolean isValidTwoDots = 
> urlValidator.isValid("http://www.example.org/hello..world/";); // evaluates to 
> false
> {code}
> Real world example:
> {code}
> UrlValidator urlValidator = new UrlValidator();
> boolean isValidRealWord = 
> urlValidator.isValid("http://forum.golem.de/sonstiges/trollwiese/apple-bashing-in-3...2...1...go/98,4089549,4089549,read.html#msg-4089549";);
>  // evaluates to false
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to