markt-asf commented on a change in pull request #176: CoyoteAdapter: fix out-of-bounds read in checkNormalize URL: https://github.com/apache/tomcat/pull/176#discussion_r298806623
########## File path: test/org/apache/catalina/connector/TestCoyoteAdapter.java ########## @@ -344,6 +345,29 @@ private void doTestNormalize(String input, String expected) { } } + @Test + public void testCheckNormalize() { + doTestCheckNormalize("/url", true); + + doTestCheckNormalize("", false); + doTestCheckNormalize("..", false); + doTestCheckNormalize("/.", false); + doTestCheckNormalize("/..", false); + doTestCheckNormalize("/./", false); + doTestCheckNormalize("//", false); + doTestCheckNormalize("/../", false); + doTestCheckNormalize("\\", false); + doTestCheckNormalize("\0", false); + } Review comment: One test per method here as well. `testCheckNormalize01()`, `testCheckNormalize02()` etc. While I am not against direct testing of any value that could be passed to `checkNormalize()`, I think the test would be more useful if the appropriate input was passed to `normalize()`, `convertURI()` and then `checkNormalize()`. I appreciate `checkNormalize()` is a public method and could - in theory - receive any input but in this instance the testing needs to focus on what is possible given Tomcat's usage of the method. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org