bug #41684 Fix Url Validator false positives (sidz)

fabpot · fabpot · commit 8c674dc90201 · 2021-08-26T08:05:05.000+02:00
This PR was squashed before being merged into the 4.4 branch. Discussion ---------- Fix Url Validator false positives | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #41683 | License | MIT This PR tries to fix false positive issues with a couple of variants of domain names which Url validator thinks that they are valid Url Validator returns false positive result on cases: - http://www.example..com - http://www..example.com - http://www..com - http://.www.example.com Commits ------- 074539d Fix Url Validator false positives
diff --git a/src/Symfony/Component/Validator/Constraints/UrlValidator.php b/src/Symfony/Component/Validator/Constraints/UrlValidator.php
@@ -26,7 +26,7 @@ class UrlValidator extends ConstraintValidator
             (%s)://                                 # protocol
             (((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)?  # basic auth
             (
-                ([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
+                ([\pL\pN\pS]+\.?[\pL\pN\pS\-\_]+)+(\.?([\pL\pN]|xn\-\-[\pL\pN-]+)+\.?) # a domain name
                     |                                                 # or
                 \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}                    # an IP address
                     |                                                 # or
diff --git a/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php b/src/Symfony/Component/Validator/Tests/Constraints/UrlValidatorTest.php
@@ -105,6 +105,7 @@ public function getValidUrls()
         return [
             ['http://a.pl'],
             ['http://www.example.com'],
+            ['http://tt.example.com'],
             ['http://www.example.com.'],
             ['http://www.example.museum'],
             ['https://example.com/'],
@@ -265,6 +266,10 @@ public function getInvalidUrls()
             ['http://example.com/exploit.html?hel lo'],
             ['http://example.com/exploit.html?not_a%hex'],
             ['http://'],
+            ['http://www..com'],
+            ['http://www..example.com'],
+            ['http://wwww.example..com'],
+            ['http://.www.example.com'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ class UrlValidator extends ConstraintValidator`
`26`	`26`	`(%s):// # protocol`
`27`	`27`	`(((?:[\_\.\pL\pN-]\|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]\|%%[0-9A-Fa-f]{2})+)@)? # basic auth`
`28`	`28`	`(`
`29`		`- ([\pL\pN\pS\-\_\.])+(\.?([\pL\pN]\|xn\-\-[\pL\pN-]+)+\.?) # a domain name`
	`29`	`+ ([\pL\pN\pS]+\.?[\pL\pN\pS\-\_]+)+(\.?([\pL\pN]\|xn\-\-[\pL\pN-]+)+\.?) # a domain name`
`30`	`30`	`\| # or`
`31`	`31`	`\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} # an IP address`
`32`	`32`	`\| # or`