markt-asf commented on a change in pull request #176: CoyoteAdapter: fix
out-of-bounds read in checkNormalize
URL: https://github.com/apache/tomcat/pull/176#discussion_r298806436
##########
File path: java/org/apache/catalina/connector/CoyoteAdapter.java
##########
@@ -1252,6 +1252,11 @@ public static boolean checkNormalize(MessageBytes
uriMB) {
int pos = 0;
+ // An empty URL is not acceptable
+ if (start == end) {
+ return false;
+ }
+
// Check for '\' and 0
Review comment:
I believe the above return would represent unreachable code. Given this is
on the code path every request must pass through, we do not want to add any
unnecessary tests however trivial. If you can find an input to
`CoyoteAdapter.postParseRequest()` that would result in this code being
executed then that would likely be sufficient justification to add this test.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
