Re: Where's the fix of CVE-2005-2090?

2008-01-29 Thread Michal Vyskocil 
On Monday 28 January 2008 21:09:31 Mark Thomas wrote:
> Michal Vyskocil wrote:
> > I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any
> > hint from svn commit log or bugzilla.
> >
> > Maybe is this commit
> > 
> > r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line
> >
> > As per RFC2616, requests with multiple content-length headers are
> > invalid.
>
> Yep, that's it.
>
> Mark

Thanks for your help, Mark.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Where's the fix of CVE-2005-2090?

2008-01-28 Thread Michal Vyskocil 
Hi,

I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint 
from svn commit log or bugzilla.

According http://tomcat.apache.org/security-5.html is this issue fixed in 
5.5.23, so I've downloaded the 5.5.20 and a 5.5.23 from archive.apache.org 
and use a diff -ru on unpacked source code to locate that.

Maybe is this commit

r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line

As per RFC2616, requests with multiple content-length headers are invalid.

Index: coyote/src/java/org/apache/coyote/Request.java
===
--- coyote/src/java/org/apache/coyote/Request.java  (revision 511952)
+++ coyote/src/java/org/apache/coyote/Request.java  (revision 513079)
@@ -294,7 +294,7 @@
 public long getContentLengthLong() {
 if( contentLength > -1 ) return contentLength;
 
-MessageBytes clB = headers.getValue("content-length");
+MessageBytes clB = headers.getUniqueValue("content-length");
 contentLength = (clB == null || clB.isNull()) ? -1 : clB.getLong();
 
 return contentLength;
...

is that, but I'm no sure.

Anyone could help?

Regards
Michal Vyskocil

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]