apache
[CURATOR-571] PathUtils.validatePath() allows \u001f (unit separator)
This piece of code in PathUtils.java seems to use odd ranges for disallowed characters:
} else if (c > '\u0000' && c '\u001f' || c > '\u007f' && c '\u009F' || c > '\ud800' && c '\uf8ff' || c > '\ufff0' && c '\uffff')
I can understand that 0 is disallowed by earlier condition in the code. But why is 0x1f (unit separator) allowed? Maybe the author wanted to use c? Similarly, the term of the next condition allows 0x7f. And the same goes for the other two ranges.
Either I am missing something here and the ranges are somehow OK, or I am right and the ranges are wrong and should include the boundaries.
I would expect the following test to pass but they don't, except the first one:
@Test public void testPathUtilsInCurator() { PathUtils.validatePath("/test"); }@Test(expected = IllegalArgumentException.class) public void testPathUtils0x1f() { PathUtils.validatePath("/test\u001f"); }
@Test(expected = IllegalArgumentException.class) public void testPathUtils0x7f() { PathUtils.validatePath("/test\u007f"); }
@Test(expected = IllegalArgumentException.class) public void testPathUtils0xffff() { PathUtils.validatePath("/test\uFFFF"); }
Originally reported by wilx, imported from: PathUtils.validatePath() allows \u001f (unit separator)
- status: Open
- priority: Major
- resolution: Unresolved
- imported: 2025-01-21
