https://bz.apache.org/bugzilla/show_bug.cgi?id=69466
--- Comment #3 from Pawel Veselov <pawel.vese...@gmail.com> --- @Mark - regarding implementation - may be marking a response as "not handled directly" by a servlet, i.e., handled through default implementation of HttpServlet.doHead(), applying the current filters to such marked requests, and then making it servlet's responsibility to set the headers correctly? Otherwise, there may be servlets that set, say, content-length header in doGet(), but will produce dynamic/generated data, so two consecutive requests to HEAD and GET will produce different header values. And if a servlet does do its own doHead(), and messed the headers up, it's not the container's fault. The predicament here is also that: a) if somebody depends on having content-length in HEAD, they are rather blocked from using 10.1.32 and up b) CVE-2024-52316 precludes use of anything below 10.1.31 c) CVE-2024-52318 precludes use of 10.1.31 (in favor of at least 10.1.32) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
