On 24 March 2017 at 05:38, Travis Spencer <[email protected]> wrote:
> Are other applications vulnerable if they embed Jetty (though a newer > version) and not make this call on the request? Must it be done per > request or is it something can be done server wide on startup? > The request header size is server wide.. well it is per HttpConfiguration instance, which by default is shared by all connectors on a server. So it need only be set once at startup. The standard distribution does set it, so standard usage is not vulnerable. -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
