This is an automated email from the ASF dual-hosted git repository.
sebbASF pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-validator.git
The following commit(s) were added to refs/heads/master by this push:
new 0eef0781 range-check the port for IPv6 hosts in isValidAuthority (#412)
0eef0781 is described below
commit 0eef0781a5ae4ceb686847d9cd5c2ac3ae29a1b3
Author: sahvx655-wq <[email protected]>
AuthorDate: Thu Jun 25 19:48:05 2026 +0530
range-check the port for IPv6 hosts in isValidAuthority (#412)
---
.../commons/validator/routines/UrlValidator.java | 21 ++++++++++++---------
.../validator/routines/UrlValidatorTest.java | 11 +++++++++++
2 files changed, 23 insertions(+), 9 deletions(-)
diff --git
a/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
b/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
index 5c6b9059..4a9bf519 100644
--- a/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
+++ b/src/main/java/org/apache/commons/validator/routines/UrlValidator.java
@@ -443,16 +443,19 @@ public class UrlValidator implements Serializable {
return false;
}
}
- final String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
- if (!GenericValidator.isBlankOrNull(port)) {
- try {
- final int iPort = Integer.parseInt(port);
- if (iPort < 0 || iPort > MAX_UNSIGNED_16_BIT_INT) {
- return false;
- }
- } catch (final NumberFormatException nfe) {
- return false; // this can happen for big numbers
+ }
+
+ // the port is captured in the same group regardless of host form, so
it must be
+ // range checked for a bracketed IPv6 host too, not just the
hostname/IPv4 branch
+ final String port = authorityMatcher.group(PARSE_AUTHORITY_PORT);
+ if (!GenericValidator.isBlankOrNull(port)) {
+ try {
+ final int iPort = Integer.parseInt(port);
+ if (iPort < 0 || iPort > MAX_UNSIGNED_16_BIT_INT) {
+ return false;
}
+ } catch (final NumberFormatException nfe) {
+ return false; // this can happen for big numbers
}
}
diff --git
a/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
b/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
index 58d5602c..33f4d394 100644
--- a/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
+++ b/src/test/java/org/apache/commons/validator/routines/UrlValidatorTest.java
@@ -173,6 +173,17 @@ public class UrlValidatorTest {
assertFalse(urlValidator.isValid("http://[::ffff:129.144.52.999]/"));
}
+ @Test
+ void testIpv6Port() {
+ final UrlValidator urlValidator = new UrlValidator();
+ // a port on a bracketed IPv6 host must be range checked just like a
hostname/IPv4 host
+ assertTrue(urlValidator.isValid("http://[::1]:65535/index.html"));
+ assertFalse(urlValidator.isValid("http://[::1]:65536/index.html"));
+ assertFalse(urlValidator.isValid("http://[::1]:99999/index.html"));
+ assertTrue(urlValidator.isValidAuthority("[::1]:65535"));
+ assertFalse(urlValidator.isValidAuthority("[::1]:65536"));
+ }
+
@ParameterizedTest
// @formatter:off
@ValueSource(strings = {