Skip to content

[Validator] Update regular expression in URL validator #62028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Oct 16, 2025
Merged

[Validator] Update regular expression in URL validator #62028

nicolas-grekas merged 1 commit into from
Oct 16, 2025

Conversation

@mjaschen
Copy link
Contributor

@mjaschen mjaschen commented Oct 10, 2025
edited by nicolas-grekas
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues -
License MIT

The UrlValidator::validate() method currently fails for some valid URLs, particularly URLs containing login data with special characters.

Example failing case:

https://user-123:[email protected]/path/file.txt.gz

The current regular expression only accepts a subset of allowed characters in the userinfo part of the URL, see UrlValidator.php:26.

Changes in this pull request:

  • Update the regular expression in UrlValidator::PATTERN to support all characters permitted in the userinfo part of a URL according to RFC 3986.
  • remove unneeded escaping in regular expression character class ([\_\.][_.])
  • Add new test cases covering all special characters in the userinfo part of URLs.

References:

  • RFC 3986 describing: Uniform Resource Identifier (URI) Generic Syntax
  • Appendix A, “Collected ABNF for URI”

Relevant ABNF for userinfo in URIs:

userinfo      = *( unreserved / pct-encoded / sub-delims / ":" )
unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
pct-encoded   = "%" HEXDIG HEXDIG
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="

@carsonbot carsonbot added this to the 7.4 milestone Oct 10, 2025
@carsonbot
Copy link

carsonbot commented Oct 10, 2025

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 7.4 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@carsonbot carsonbot changed the title Update regular expression in URL validator Update regular expression in URL validator Oct 10, 2025
@carsonbot carsonbot changed the title Update regular expression in URL validator [Validator] Update regular expression in URL validator Oct 14, 2025
@nicolas-grekas nicolas-grekas modified the milestones: 7.4, 6.4 Oct 14, 2025
@mjaschen @nicolas-grekas
Update regular expression in URL validator
82bbb9c 
To achieve better compatibility with RFC 3986, the regular expression
which validates URLs now allows more characters in the userinfo part.

Add test cases; update change log.
@nicolas-grekas nicolas-grekas changed the base branch from 7.4 to 6.4 October 14, 2025 16:28
@nicolas-grekas nicolas-grekas force-pushed the feature/url-validator-userinfo branch from d385f3e to 82bbb9c Compare October 14, 2025 16:28
nicolas-grekas
nicolas-grekas approved these changes Oct 14, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rebased for 6.4 as a bugfix and further tweaked the regex a bit.

nicolas-grekas
nicolas-grekas reviewed Oct 14, 2025
View reviewed changes
src/Symfony/Component/Validator/Constraints/UrlValidator.php
{^
(%s):// # protocol
(((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+:)?((?:[\_\.\pL\pN-]|%%[0-9A-Fa-f]{2})+)@)? # basic auth
((?:[\pL\pN\-._~!$&'()*+,;=]|%%[0-9A-Fa-f]{2})++(?::(?:[:\pL\pN\-._~!$&'()*+,;=]|%%[0-9A-Fa-f]{2})*+)?@)? # basic auth
Copy link
Member

@nicolas-grekas nicolas-grekas Oct 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The RFC allows empty user part, so technically we could go with just the following.
But this makes tests fail as we consider userinfo with no username as invalid (http://:[email protected])

Suggested change
((?:[\pL\pN\-._~!$&'()*+,;=]|%%[0-9A-Fa-f]{2})++(?::(?:[:\pL\pN\-._~!$&'()*+,;=]|%%[0-9A-Fa-f]{2})*+)?@)? # basic auth
((?:[:\pL\pN\-._~!$&'()*+,;=]|%%[0-9A-Fa-f]{2})++)@)? # basic auth

(support for basic auth was added 11 years ago in #11601)

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Oct 16, 2025

Thank you @mjaschen.

@nicolas-grekas nicolas-grekas merged commit 68cd755 into symfony:6.4 Oct 16, 2025
11 checks passed
This was referenced Oct 28, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@lyrixx lyrixx Awaiting requested review from lyrixx

@yceruto yceruto Awaiting requested review from yceruto

@chalasr chalasr Awaiting requested review from chalasr

@dunglas dunglas Awaiting requested review from dunglas

@xabbuh xabbuh Awaiting requested review from xabbuh

Assignees

No one assigned

Labels

Bug Status: Reviewed Validator

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

3 participants

@mjaschen @carsonbot @nicolas-grekas