Ori Fine wrote:
In Tomcat 5.5.23 and above the following under security issue was
included (CVE-2005-2090):
It turns out that we have mobile clients that due to technical issue
send requests with multiple content-length headers. Is there a way that
we can turn off this feature in the tomcat in order for us to be bale to
upgrade our tomcat and still support old clients?
If there is any proxy, cache, web server or similar between Tomcat and
your clients you will have a significant security risk unless you have
full control of all of these elements and can confirm they all handle
multiple content-length in exactly the same way.
There is no option to enable support for multiple content-length
headers, nor will one be added.
Your options are:
- use 5.5.22 and don't upgrade beyond this point until your technical
issue is fixed
- build your own custom version from svn and exclude the patch for
this issue
(http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Request.java?view=diffr1=513078r2=513079pathrev=513079)
HTH,
Mark
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]