markt-asf commented on a change in pull request #176: CoyoteAdapter: fix 
out-of-bounds read in checkNormalize
URL: https://github.com/apache/tomcat/pull/176#discussion_r298806623
 
 

 ##########
 File path: test/org/apache/catalina/connector/TestCoyoteAdapter.java
 ##########
 @@ -344,6 +345,29 @@ private void doTestNormalize(String input, String 
expected) {
         }
     }
 
+    @Test
+    public void testCheckNormalize() {
+        doTestCheckNormalize("/url", true);
+
+        doTestCheckNormalize("", false);
+        doTestCheckNormalize("..", false);
+        doTestCheckNormalize("/.", false);
+        doTestCheckNormalize("/..", false);
+        doTestCheckNormalize("/./", false);
+        doTestCheckNormalize("//", false);
+        doTestCheckNormalize("/../", false);
+        doTestCheckNormalize("\\", false);
+        doTestCheckNormalize("\0", false);
+    }
 
 Review comment:
   One test per method here as well. `testCheckNormalize01()`, 
`testCheckNormalize02()` etc.
   
   While I am not against direct testing of any value that could be passed to 
`checkNormalize()`, I think the test would be more useful if the appropriate 
input was passed to `normalize()`, `convertURI()` and then `checkNormalize()`. 
I appreciate `checkNormalize()` is a public method and could - in theory - 
receive any input but in this instance the testing needs to focus on what is 
possible given Tomcat's usage of the method.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to