docs: Documents the purpose behind the newly added tests

weierophinney · weierophinney · commit 98fff9cb3827 · 2022-11-30T11:56:35.000-06:00
- Documents the CVE that led to the new tests.
- Documents the differences in behavior between using UriInterface::getPath(), UriInterface::__toString(), and RequestInterface::getRequestTarget().
diff --git a/src/RequestIntegrationTest.php b/src/RequestIntegrationTest.php
@@ -171,6 +171,11 @@ public function testUriPreserveHost_Host_Host()
     }
 
     /**
+     * Tests that getRequestTarget(), when using the default behavior of
+     * displaying the origin-form, normalizes multiple leading slashes in the
+     * path to a single slash. This is done to prevent URL poisoning and/or XSS
+     * issues.
+     *
      * @see UriIntegrationTest::testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
      */
     public function testGetRequestTargetInOriginFormNormalizesUriWithMultipleLeadingSlashesInPath()
diff --git a/src/UriIntegrationTest.php b/src/UriIntegrationTest.php
@@ -241,6 +241,14 @@ public function testPathWithMultipleSlashes()
         $this->assertSame($expected, (string) $uri);
     }
 
+    /**
+     * Tests that getPath() normalizes multiple leading slashes to a single
+     * slash. This is done to ensure that when a path is used in isolation from
+     * the authority, it will not cause URL poisoning and/or XSS issues.
+     *
+     * @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3257
+     * @psalm-param array{expected: non-empty-string, uri: UriInterface} $test
+     */
     public function testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS()
     {
         if (isset($this->skippedTests[__FUNCTION__])) {
@@ -260,6 +268,10 @@ public function testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreven
     }
 
     /**
+     * Tests that the full string representation of a URI that includes multiple
+     * leading slashes in the path is presented verbatim (in contrast to what is
+     * provided when calling getPath()).
+     *
      * @depends testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
      * @psalm-param array{expected: non-empty-string, uri: UriInterface} $test
      */
