markt-asf commented on a change in pull request #176: CoyoteAdapter: fix
out-of-bounds read in checkNormalize
URL: https://github.com/apache/tomcat/pull/176#discussion_r298806623
##########
File path: test/org/apache/catalina/connector/TestCoyoteAdapter.java
##########
@@ -344,6 +345,29 @@ private void doTestNormalize(String input, String
expected) {
}
}
+ @Test
+ public void testCheckNormalize() {
+ doTestCheckNormalize("/url", true);
+
+ doTestCheckNormalize("", false);
+ doTestCheckNormalize("..", false);
+ doTestCheckNormalize("/.", false);
+ doTestCheckNormalize("/..", false);
+ doTestCheckNormalize("/./", false);
+ doTestCheckNormalize("//", false);
+ doTestCheckNormalize("/../", false);
+ doTestCheckNormalize("\\", false);
+ doTestCheckNormalize("\0", false);
+ }
Review comment:
One test per method here as well. `testCheckNormalize01()`,
`testCheckNormalize02()` etc.
While I am not against direct testing of any value that could be passed to
`checkNormalize()`, I think the test would be more useful if the appropriate
input was passed to `normalize()`, `convertURI()` and then `checkNormalize()`.
I appreciate `checkNormalize()` is a public method and could - in theory -
receive any input but in this instance the testing needs to focus on what is
possible given Tomcat's usage of the method.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
