-
-
Notifications
You must be signed in to change notification settings - Fork 500
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validation regex doesn't validate against RFC #172
Comments
The regex was changed to allow any GUID/UUID to be validated. RFC 4122 is a specific variant of UUID. Others may exist, so the regex was relaxed to allow others to be parsed. In these cases, the |
Sorry. Your last paragraph suggests what I said. :-) I’ll add this to the list for version 4. |
Cool thank you! I was just surprised that it wasn't strictly validating how I expected. I understand others may exist, but IMO (which ofc when talking about strictness is always debateable) strict should be default with a loose opt-in. Which currently there is no option to even opt-in to strictness. |
I'll be introducing some BC breaks in version 4, so that’ll be a good time to introduce strictness here. I’ll just need to come up with an upgrade path that I can use to deprecate existing functionality in an upcoming 3.x release. |
I don't think the current method really needs to be deprecated outright. There may be some very valid use-case for it that people need. V4 would look like this (with regards to this issue) in my mind:
That way when you upgrade if you don't need the loose checking, v4 "just works" for you. While if you relied upon the loose checking for some reason, it's easy to turn on in your application. |
Hi @Garbee! I noticed this because I wrote the test you referenced that broke when you tried to make the changes. As far as I can tell "12345678-1234-abcd-abef-1234abcd4321" is a valid UUID, it just also happens to be easy to type and remember. I did a lot of research when I worked on those but (a) it's been a while and (b) I would never claim I understood everything I read :-P However, after reviewing it again it sounds like basically since the Stupid question - can someone explain to me what "most significant" means here?
|
Yes and Yes.
Then I'd assume they'd figure that out then. It's hardly an issue though considering how many UUID possibilities there are. It would be a long time before any more official UUID version are necessary. |
On the MSB part I believe this is what it is meaning: With this diagram in mind the spec says the MSB of the Knowing this it also helps answer the "what about more than 10 versions" question. As 4 bits has 16 total possible values, simple hex. Which is where |
The new RFC 4122 validation should also account for the variant bits, as well as the version we've been discussing. According to the RFC,
This will set the variant properly in the UUID (see section 4.1.1). For validation purposes, in hexadecimal format, this position will always be More reference: https://speakerdeck.com/ramsey/identify-all-the-things-with-uuids-true-north-php-2016?slide=20 |
@jmauerhan We don't have any code for the validation rules, yet, but if you want to change the existing tests to account for it in the future, that'd be fine. |
Please see version 4.0.0-alpha1. This version includes a validator for RFC 4122 variant UUIDs. It is not the default validator, but you may swap out default validator used by the factory with this one, if you like.
|
The validation regex was changed in commit 77c9c15 to let invalid UUIDs through. I'm not seeing in the RFC where this is allowed.
From section 4.1.3 which also defines only
[1-5]
as valid versions. Therefore, the library currently isn't validating UUIDs properly.Attempting to make the proper reversal on the regex, yields a handful of broken tests. For example
tests/Codec/GuidStringCodecTest.php
uses the following array for the fields:The
time_hi_and_version
here is peculiar, as it doesn't have a valid version. Of course the tests here will fail. However, I'm not sure why the regex was changed originally.What was the intended action by making the validation less strict to allow non-RFC valid UUIDs?
We should at least have the original regex as a constant if the current isn't going to change. Something like
RFC_VALID_PATTERN
. However, if the package is for UUIDs it should work by default strictly against the RFC first with opt-in mechanisms to looser restrictions.The text was updated successfully, but these errors were encountered: