Skip to content

Accept IPv4-embedded IPv6 addresses in UrlValidator#405

Merged
garydgregory merged 1 commit into
apache:masterfrom
sahvx655-wq:url-ipv6-embedded-ipv4
Jun 20, 2026
Merged

Accept IPv4-embedded IPv6 addresses in UrlValidator#405
garydgregory merged 1 commit into
apache:masterfrom
sahvx655-wq:url-ipv6-embedded-ipv4

Conversation

@sahvx655-wq

@sahvx655-wq sahvx655-wq commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

While checking how UrlValidator handles IPv6 literals I noticed it accepts http://[::FFFF:129.144.52.38]/ (the case covered by testValidator452) but rejects the same address in the standard lower-case mapped form http://[::ffff:129.144.52.38]/, and likewise rejects the IPv4-compatible ::1.2.3.4 and embedded 2001:db8::1.2.3.4 notations. The cause is IPV6_REGEX used by isValidAuthority: it only special-cases the literal upper-case ::FFFF: prefix and otherwise matches [0-9a-fA-F:]+, which has no ., so any bracketed host with an embedded IPv4 part fails the authority match before InetAddressValidator.isValidInet6Address is ever consulted. That validator already accepts all of these forms, so the URL path and a direct address check disagree.

The bracketed group is captured and then handed to isValidInet6Address, so the regex only needs to delimit the candidate rather than judge it; I widened it to [0-9a-fA-F:.]+ and left the real decision to the address validator. Keeping the judgement in one place stops the two paths drifting apart again, and malformed hosts (bad octet, stray ::, over-long group) are still rejected because the address validator rejects them. Left unfixed, code using UrlValidator as an allow gate silently turns away legitimate IPv4-mapped IPv6 URLs.

  • Read the contribution guidelines for this project.
  • Read the ASF Generative Tooling Guidance if you use Artificial Intelligence (AI).
  • I used AI to create any part of, or all of, this pull request. Which AI tool was used to create this pull request, and to what extent did it contribute?
  • Run a successful build using the default Maven goal with mvn; that's mvn on the command line by itself.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. This may not always be possible, but it is a best practice.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body. Note that a maintainer may squash commits during the merge process.

@sahvx655-wq
accept IPv4-embedded IPv6 addresses in UrlValidator
6fc35e5 
isValidAuthority matched a bracketed IPv6 host against IPV6_REGEX before handing it to InetAddressValidator.isValidInet6Address, but the regex only special-cased the upper-case ::FFFF: mapped form and otherwise excluded the dot needed for an embedded IPv4 part, so lower-case ::ffff:1.2.3.4, ::1.2.3.4 and 2001:db8::1.2.3.4 were rejected while the upper-case form was accepted. Widen the bracket pattern to hex, colon and dot and let isValidInet6Address make the decision.
@garydgregory garydgregory changed the title accept IPv4-embedded IPv6 addresses in UrlValidator Accept IPv4-embedded IPv6 addresses in UrlValidator Jun 20, 2026
@garydgregory garydgregory merged commit 115d0cd into apache:master Jun 20, 2026
10 checks passed
@garydgregory

garydgregory commented Jun 20, 2026

Copy link
Copy Markdown
Member

TY @sahvx655-wq , verified locally and merged 🚀

garydgregory added a commit that referenced this pull request Jun 20, 2026
@garydgregory
Accept IPv4-embedded IPv6 addresses in UrlValidator (#405).
6e155cd 
Sort members.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sahvx655-wq @garydgregory