This is an automated email from the ASF dual-hosted git repository.

sebbASF pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-validator.git


The following commit(s) were added to refs/heads/master by this push:
     new 0eef0781 range-check the port for IPv6 hosts in isValidAuthority (#412)
0eef0781 is described below

commit 0eef0781a5ae4ceb686847d9cd5c2ac3ae29a1b3
Author: sahvx655-wq <[email protected]>
AuthorDate: Thu Jun 25 19:48:05 2026 +0530

    range-check the port for IPv6 hosts in isValidAuthority (#412)
---
 .../commons/validator/routines/UrlValidator.java    | 21 ++++++++++++---------
 .../validator/routines/UrlValidatorTest.java        | 11 +++++++++++
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git 
a/src/main/java/org/apache/commons/validator/routines/UrlValidator.java 
b/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
index 5c6b9059..4a9bf519 100644
--- a/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
+++ b/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
@@ -443,16 +443,19 @@ public class UrlValidator implements Serializable {
                     return false;
                 }
             }
-            final String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
-            if (!GenericValidator.isBlankOrNull(port)) {
-                try {
-                    final int iPort = Integer.parseInt(port);
-                    if (iPort < 0 || iPort > MAX_UNSIGNED_16_BIT_INT) {
-                        return false;
-                    }
-                } catch (final NumberFormatException nfe) {
-                    return false; // this can happen for big numbers
+        }
+
+        // the port is captured in the same group regardless of host form, so 
it must be
+        // range checked for a bracketed IPv6 host too, not just the 
hostname/IPv4 branch
+        final String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
+        if (!GenericValidator.isBlankOrNull(port)) {
+            try {
+                final int iPort = Integer.parseInt(port);
+                if (iPort < 0 || iPort > MAX_UNSIGNED_16_BIT_INT) {
+                    return false;
                 }
+            } catch (final NumberFormatException nfe) {
+                return false; // this can happen for big numbers
             }
         }
 
diff --git 
a/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java 
b/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
index 58d5602c..33f4d394 100644
--- a/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
+++ b/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
@@ -173,6 +173,17 @@ public class UrlValidatorTest {
         assertFalse(urlValidator.isValid("http://[::ffff:129.144.52.999]/";));
     }
 
+    @Test
+    void testIpv6Port() {
+        final UrlValidator urlValidator = new UrlValidator();
+        // a port on a bracketed IPv6 host must be range checked just like a 
hostname/IPv4 host
+        assertTrue(urlValidator.isValid("http://[::1]:65535/index.html";));
+        assertFalse(urlValidator.isValid("http://[::1]:65536/index.html";));
+        assertFalse(urlValidator.isValid("http://[::1]:99999/index.html";));
+        assertTrue(urlValidator.isValidAuthority("[::1]:65535"));
+        assertFalse(urlValidator.isValidAuthority("[::1]:65536"));
+    }
+
     @ParameterizedTest
     // @formatter:off
     @ValueSource(strings = {

Reply via email to