sahvx655-wq opened a new pull request, #412:
URL: https://github.com/apache/commons-validator/pull/412

   **IPv6 host port skips the range check in isValidAuthority**
   
   The port group in `AUTHORITY_PATTERN` is captured the same way for a 
bracketed IPv6 host as for a hostname or IPv4 host, but the 0 to 65535 range 
check only ran in the hostname/IPv4 branch of `isValidAuthority`. That left a 
gap: `http://[::1]:99999/` and `http://[::1]:65536/` validated as good while 
the equivalent `http://127.0.0.1:99999/` and `http://example.com:99999/` were 
correctly rejected, so an out-of-range port slipped through purely on the 
strength of the host being IPv6.
   
   Moved the existing port parse and range check out of that branch so both 
host forms are checked the same way. Valid ports such as `[::1]:65535` and 
`[::1]:80`, and the no-port case, are unaffected. Added a regression test that 
fails without the change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to