I find it quite surprising that you are worried about security for a version 
that is so old (latest Tomcat on the 7.0.x branch is 7.0.103). Proper security 
practices call for using latest versions where security issues might be 

From: Victor Rodriguez <victropo...@gmail.com>
Sent: Friday, March 27, 2020 11:55 AM
To: dev@tomcat.apache.org
Subject: Malicious Headers

We are using Fortify, which is a static code analysis tool to find 
vulnerabilities in your code and it's saying that code might be susceptible to 
malicious header injection, such as CRLF.  However, it also says that "Many of 
today's modern application servers will prevent the injection of malicious 
characters into HTTP headers. For example, recent versions of Apache Tomcat 
will throw an IllegalArgumentException if you attempt to set a header with 
prohibited characters. If your application server prevents setting headers with 
new line characters, then your application is not vulnerable to HTTP Response 

Does tomcat prevent the injection of malicious characters into HTTP headers?  
We are currently using Apache Tomcat/7.0.53.<http://7.0.53.>  Thanks!

Sent from neither my iPhone nor my iPad.

Reply via email to