tracker issue : CF-3924581

select a category, or use search below
(searches all categories and all time range)
Title:

[ANeff] Bug for: isValid("url") incorrect results

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)

Created: 01/21/2015

Components: Language

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / Some users will encounter

Locale/System: ALL / Platforms All

Vote Count: 0

Listed in the version 2016.0.03.300466 Issues Fixed doc
Verification notes: verified_fixed on August 24, 2019 using build 2016.0.01.298513
! ( ) and * are valid in a URL's path and query string, but isValid("url") says they aren't
% is valid in a URL's path and query string only if it preceeds 2 hexadecimal digits, but isValid("url") doesn't perform this check
http://[::1] is valid as a URL's host, but isValid("url") says it isn't

Repro:

<cfscript>
//actual result: NO NO NO NO YES 
//expected result: YES YES YES YES NO 
for(char in "!,(,),*,%") {
  writeOutput(isValid("url", 'http://localhost/' & char) & ' ');
}

//actual result: NO
//expected result: YES
writeOutput(isValid("url", "http://[::1]"));
</cfscript>

Example live URL containing ( and ): https://msdn.microsoft.com/en-us/library/aa752574(VS.85).aspx
Example live URL containing *: http://web.archive.org/web/*/http://www.wikipedia.org/
Didn't find a live example URL containing !, but repro is simple b/c ! is allowed in folder names

Related URL: http://www.ietf.org/rfc/rfc3986.txt
Related URL: http://tools.ietf.org/html/rfc2616#section-3.2
..or perhaps confirm w/ Roy Fielding there at Adobe

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3924581

External Customer Info:
External Company:  
External Customer Name: Aaron
External Customer Email:

Attachments:

Comments:

as reported 'http://[::1]' was already fixed with ipv6 support. support for these spcl characters: ! ( ) and * is added. behavior of % will remain as it is. We will not make it stricter by validating only when it is followed by 2 hexadecimal characters. Though it is mentioned in w3c spec as it should be used strictly but users have been using it in other ways too. To further support my comment pls notice that other languages are also liberal in validating it like php.
Comment by Milan C.
8882 | January 31, 2015 10:45:04 AM GMT
Hi Milan, "as reported 'http://[::1]' was already fixed with ipv6 support." As reported? Where? isValid("url", "http://[::1]") returns NO in CF11 Update 3 and CF11 Update 4. "w3c spec as it should be used strictly" Strictly is the only way in which Adobe should be using a spec that Adobe itself is co-authoring (RFC 3986), right? I mean, why define a spec you won't fully follow? Everyone: Adobe's saying isValid("url", "http://T%H%I%S%%I%S%%J%U%N%K%%%%%%%%%%%%%%%%%%%%%%%%%%%") should return YES. Adobe, what is an example of a valid URL wherein the % is not followed by 2 hexadecimal characters? It must be such a strong/valid example to justify not following the W3C spec. Afterall, Adobe, you follow the J2EE spec strictly - see #CF-3352078 where you broke backward-compat w/ CF9 by no longer honoring sessions if jsessionid was appended to URL w/ ampersand (b/c J2EE spec requires semicolon). Following spec when convenient, but following PHP when convenient? Milan, it is good that ! ( ) and * are now supported. But IPv6 isn't fixed and neither is %J%U%N%K. Both issues still need fixed. Thanks!, -Aaron
Comment by External U.
8883 | January 31, 2015 12:23:12 PM GMT
Adobe, Can you please document the regex pattern that you're using for isValid("url")? Thanks!, -Aaron
Comment by External U.
8884 | January 31, 2015 12:27:11 PM GMT
Aaron, regarding the ipv6 support, I can confirm this is fixed and will be available in a future release.
Comment by Immanuel N.
8885 | February 01, 2015 11:03:02 PM GMT
Hi Immanuel, Thanks very much for confirming that! I thought "as reported" meant Adobe already reported (ex: via the blog or somewhere similar) to us that it's fixed. Now I understand! Thanks again!, -Aaron
Comment by External U.
8886 | February 02, 2015 08:41:08 AM GMT
Aaron, All scenarios mentioned in this bug have been fixed, except the validations with %. We will be tracking that fix as part of the bug, CF-4007976. Will be marking this bug as fixed.
Comment by Immanuel N.
8887 | June 16, 2015 10:50:39 PM GMT
Hi Adobe, I've verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513), except for % which was moved to CF-4007976. Thanks!, -Aaron
Comment by Aaron N.
31188 | August 24, 2019 10:04:41 AM GMT