Re: Allowed characters in GAV and how/where to sanitize?

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Re: Allowed characters in GAV and how/where to sanitize?

The org.apache.maven.*project*.validation.ModelValidator is the Maven2  
In Maven3 it is placed in maven-compat, but from there it calls  

The maven-deploy-plugin is still compatible with Maven2, hence it refers  
to the old validator. But when you run it with Maven3, it'll use the  
matching ModelValidator.

It looks like the version has become more strict since Maven 3.1

I have to admit this are interesting analysis, but for those artifacts the  
damage is already done, not much we can do about it anymore.
And it is likely you cannot use them anymore as dependency with the most  
recent Maven version.


On Tue, 09 Jan 2018 15:42:41 +0100, Andreas Sewe  
<[hidden email]> wrote:

> Hi Stephen,
>> In an url path segment space is mapped to +
> not quite. This holds only for the query part of an URI which is
> typically encoding according to the application/x-www-form-urlencoded
> scheme. Elsewhere in a URI, e.g., the path component, a space is simply
> percent-encoded a %20.
>> The repo manager should be blocking those... likely not doing it’s job.
> I agree. IMHO the repo manager should block (if only as a last resort
> for people using something to deploy that doesn't do the check earlier).
> That being said, the situation on Maven Central is not that dire; there
> are very few versions in the wild that I consider broken:
> Additional quotes:
> - "1.0.0
> - '1.0'
> CLI trouble:
> - mvn+release:perform
> - version=
> Commas instead of dots as separator
> - 1,0
> Expressions or expression-like constructs:
> - ${env.VERSION}
> - ${parent.version}
> - @metro.version@
> - $%7Bcucumber-jvm.version%7D
> If you are interested, I have a more complete list (about 30 entries
> overall), together with a histogram of characters used in versions.
> Interestingly, no non-ASCII characters are used, not even in qualifiers.
>> We probably should also barf on : in a version. There is validation on
>> artifactId and groupId when last I checked
> Different validators barf on different things. The
> org.apache.maven.*project*.validation.DefaultModelValidator used by
> deploy:deploy-file is happy with *any* non-empty version, whereas
> org.apache.maven.*model*.validation.DefaultModelValidator does a bit
> more; in particular, it checks for certain filesystem-unsafe characters,
> including the colon: \ / : " < > | ? *
> I don't really know why deploy:deploy-file prefers one ModelValidator
> over the other, though. Is this a bug in the the maven-deploy-plugin?
> Best wishes,
> Andreas

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view

Re: Allowed characters in GAV and how/where to sanitize?

Andreas Sewe-2
Fred Cooke wrote:
> Re versions, I know the background on it, but it annoys me that maven can't
> handle 4 part versions, as sometimes it's handy to do a patch level
> that deep. Lots of messed up software in the world :-)

Are you sure that's still the case (the parts-restriction, not the
messiness of software ;-)?

At least the Maven Resolver uses a versioning scheme that's quite
flexible [1]. Not sure if the flexibility at this low level bubbles up
all the way to the top, though. Maybe one the Maven developers can chime in.

> Format should be N[.N as many times as needed][optional hyphen and
> qualifier of some sort] or something like that. Not hard limited to 1 2 or
> 3 parts.

AFAICT, that's what GenericVersionScheme does.

Hope this helps,



signature.asc (899 bytes) Download Attachment