markt-asf commented on a change in pull request #176: CoyoteAdapter: fix out-of-bounds read in checkNormalize URL: https://github.com/apache/tomcat/pull/176#discussion_r298806436
########## File path: java/org/apache/catalina/connector/CoyoteAdapter.java ########## @@ -1252,6 +1252,11 @@ public static boolean checkNormalize(MessageBytes uriMB) { int pos = 0; + // An empty URL is not acceptable + if (start == end) { + return false; + } + // Check for '\' and 0 Review comment: I believe the above return would represent unreachable code. Given this is on the code path every request must pass through, we do not want to add any unnecessary tests however trivial. If you can find an input to `CoyoteAdapter.postParseRequest()` that would result in this code being executed then that would likely be sufficient justification to add this test. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org