ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864828084

   > 1. There are case-insensitive file systems out there... I wonder whether 
those default extensions should be treated case-insensitively. (If one is 
serving a web site from an USB stick or a memory card formatted with FAT? From 
a CD Drive? It is possible, but rare nowadays.)
   
   Fair. Again, I was thinking of trying to minimize the amount of processing 
required by default.
   
   >     2. Add "*.mjs" to the list (see 
https://bz.apache.org/bugzilla/show_bug.cgi?id=68378 )
   
   Fair.
   
   >     3. Documentation: The value in "The default is ..." does not match the 
actual value of DEFAULT_NO_NONCE_URL_PATTERNS;
   
   I will correct this.
   
   >     4. Documentation: "Complete regular expression ... Note that patterns 
cannot contain a comma"
   >        I think if the value starts and ends with a '/'. it would be better 
to treat it whole as a single RegExp. Commas are useful in RegExes and 
disallowing them in this case does not look like a benefit.
   
   I suppose I could write a more fully-featured parser, but right now I'm 
using `String.split(",")` to separate the patterns from each other. If we want 
to parse `/anything/` including commas, we'll need to be able to recognize `/` 
within `/.../`, escapes, etc.
   
   I think I might like to save that for a separate PR since this one is 
complicated enough. WDYT?
   
   >     5. protected boolean skipNonceCheck(HttpServletRequest request) {
   >        It is hard-coded to look for GET. How about a HEAD request?
   
   This check pre-dates this PR. I think it should be addressed separately.
   
   >     6. protected boolean skipNonceCheck(HttpServletRequest request) {
   >        Further in that method. "if (!entryPoints.contains(requestedPath)) 
{ return false; }" - note that unless it is an entry point, processing will end 
here and subsequent lines will not run. I think it was intended to be the 
opposite.
   
   I will review.
   
   >     7. private boolean shouldAddNonce(String url) { ... }
   >        I think that it would make sense to skip adding nonces to the 
entryPoints.
   >        (As a use case: the front page of Manager web application).
   
   I think it does not matter much.
   
   >     8. It would be good to have some test cases.
   
   Okay. Would you prefer very targeted unit tests against e.g. the predicates 
and calls to `HttpServletResponse.encodeURL` or something that includes the 
whole HTTP request/response, page-generation, etc.?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to