Hi,
I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint
from svn commit log or bugzilla.
According http://tomcat.apache.org/security-5.html is this issue fixed in
5.5.23, so I've downloaded the 5.5.20 and a 5.5.23 from archive.apache.org
and use a diff -ru on unpacked source code to locate that.
Maybe is this commit
r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line
As per RFC2616, requests with multiple content-length headers are invalid.
Index: coyote/src/java/org/apache/coyote/Request.java
===
--- coyote/src/java/org/apache/coyote/Request.java (revision 511952)
+++ coyote/src/java/org/apache/coyote/Request.java (revision 513079)
@@ -294,7 +294,7 @@
public long getContentLengthLong() {
if( contentLength > -1 ) return contentLength;
-MessageBytes clB = headers.getValue("content-length");
+MessageBytes clB = headers.getUniqueValue("content-length");
contentLength = (clB == null || clB.isNull()) ? -1 : clB.getLong();
return contentLength;
...
is that, but I'm no sure.
Anyone could help?
Regards
Michal Vyskocil
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]