Issues

ZF-7105: Remove Zend_Validate dependency from Zend_Uri

Description

If you are not using the Zend_Validate package, Zend_Uri_Http::validateHost() cannot validate a given hostname. This forces the user to include and deploy 60 extra files. This prevents the user from using the Zend_Controller and Zend_Uri packages in isolation.

Comments

And then a lot of functionality/code would have to be duplicated, which makes no sense. I would like to suggest to simply deploy The entire ZF library, and then simply call the classes you want to use (so you don't have to deal with dependencies).

I propose to close this issue as 'not-an-issue'.

Umm... you don't need the entire Zend_Validate package, just the Zend_Validate_Hostname and Zend_Validate_Hostname_* classes (and a few dependencies) -- it's not a large amount of code.

Also, as noted, why duplicate code within the framework? We specifically chose not to with Zend_Form's decorators, as Zend_View already had view helpers that could create the element markup; why would we do differently here?

Finally, is 60 files really going to kill you? The total amount of space is a few kilobytes, and a good deploy process will make this trivial.

Can you come up with better, more technical justifications for your request, please?

Dolf: Your solution is not an option. I'm not going to open source a small application and add the entire framework to the download package.

Matthew: What's the point of validating the hostname when I know the host string always passes validation? According to Zend_Uri_Http::validateHost(), if the host sting is not empty (it never is), it checks the string against the allowed values, but, there's only one allowed value, the one the user defines in apache's virtual host as ServerName. So, the framework forces the user to validate a value that is defined by the user and already validated by the web server.

People have not always access to the web server's config.

Also just because in your case the host string is not empty and you allow only one value, it does not mean that this is also the case for all other users.

In my opinion, erasing an existing feature is no good behaviour. When this feature is really needed (has to be decided) it would be a much better way to allow disabling of hostname validation instead of removing it.

I think we are talking about 2 different things here. One is the dependency between Zend_Controller_Request_Http and Zend_Uri_Http, and the other one is Zend_Uri_Http as a standalone utility. This is also mentioned in the manual:

"Zend_Uri exists primarily to service other components such as Zend_Http_Client but is also useful as a standalone utility."

  1. Zend_Uri_Http as a standalone utility:

When this component is used as a standalone utility, it makes sense to call the validateHost() method whenever a user builds a new URI, because the component needs to validate the host string, as the value can be anything. For example:

$uri = $_POST['uri']; // http://zend!.com $zendUri = Zend_Uri::factory($_POST['uri']); // Invalid host string

  1. Zend_Uri_Http as a Zend_Controller_Request_Http dependency:

Here, the Request object is using Zend_Uri_Http to build the URI, but the Request object is not interested in validating the string provided by the Web server, it's using Zend_Uri to build it. The string doesn't need to be validated, it already passed the user and server validation.

Thomas, I don't know what what you mean by users accessing the config file. This issue is related to the DNS server that publishes info about a domain and a web server that maps the server name to a directory. That never changes and doesn't need to be validated. If the hostname is an empty string, then it never reaches the DNS server in the first place.

If there's a use case where the Request object has to validate the host string, ok, then ignore this issue. If not, then I think it shouldn't be validating the same string over and over again.

Dolf

And then a lot of functionality/code would have to be duplicated,

I'm not sure you understand what the issue is.

I propose to close this issue

???

I don't know if you are familiar with the Zend_Controller package, but I'm not proposing that we remove functionality from this package, only the dependency with the Zend_Validate package.

Thomas, I don't agree with your idea of making something like this optional. Why would anyone want to enable this?

The fact that Zend_Uri can be used on a standalone basis, does not mean that it hasn't got any dependencies, it just means that it can also be useful for direct-use, without encapsulating its use through other components. See also the requirements page: http://framework.zend.com/manual/en/…

Therefore, I'm closing this issue once again as not-an-issue.

Reassigning as agreed (I'd have done this earlier but Jira refused to work with me..)

Therefore, I'm closing this issue once again as not-an-issue.

It seems that you don't understand what's being discuss here, and you keep assigning this issue to yourself and closing it without any valid explanation.

The fact that Zend_Uri can be used on a standalone basis

That's not the issue.

  1. If you use Zend_Uri as a standalone component, you have to include the Zend_Validate package as well. That's ok, we all agree on that.

  2. When Zend_Controller (Request object) uses Zend_Uri_Http to dispatch a request, why does it need to validate the host string, if it already passed the server validation?

Re-opening issue.

I'm finding it very difficult to report an issue when there are users who are not willing to engage in a productive discussion. I don't have time to open, re-open and re-open issues. I'll leave that to Dolf.

Closing issue.

waste of time