If you use a fixed tomcat version, you are not vulnerable to the Accept- HTTP Header remote DOS problem.
I think it does not help if you use a REST api, as the underlying problem is in FloatingDecimal.java of the JVM. If you submit the magic string via REST, I think you can hose the system, also. But thats just an assumption, as I never tested it. Robert Am 09.02.2011 um 17:40 schrieb Marvin Addison: >> you are mostly correct. Except if you use REST.... > > Can you elaborate on how the use of REST changes the requirements I described? > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
