Re: Where's the fix of CVE-2005-2090?
On Monday 28 January 2008 21:09:31 Mark Thomas wrote: Michal Vyskocil wrote: I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint from svn commit log or bugzilla. Maybe is this commit r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line As per RFC2616, requests with multiple content-length headers are invalid. Yep, that's it. Mark Thanks for your help, Mark. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Where's the fix of CVE-2005-2090?
Filip Hanik - Dev Lists wrote: Mark Thomas wrote: Michal Vyskocil wrote: I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint from svn commit log or bugzilla. Maybe is this commit r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line As per RFC2616, requests with multiple content-length headers are invalid. Yep, that's it. isn't it documented incorrectly then?, we dont return 400, we just grab one of the headers. If you look at the code for MimeHeaders.getUniqueValue() you'll see that the code throws an IAE if multiple values are found in the headers. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Where's the fix of CVE-2005-2090?
Hi, I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint from svn commit log or bugzilla. According http://tomcat.apache.org/security-5.html is this issue fixed in 5.5.23, so I've downloaded the 5.5.20 and a 5.5.23 from archive.apache.org and use a diff -ru on unpacked source code to locate that. Maybe is this commit r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line As per RFC2616, requests with multiple content-length headers are invalid. Index: coyote/src/java/org/apache/coyote/Request.java === --- coyote/src/java/org/apache/coyote/Request.java (revision 511952) +++ coyote/src/java/org/apache/coyote/Request.java (revision 513079) @@ -294,7 +294,7 @@ public long getContentLengthLong() { if( contentLength -1 ) return contentLength; -MessageBytes clB = headers.getValue(content-length); +MessageBytes clB = headers.getUniqueValue(content-length); contentLength = (clB == null || clB.isNull()) ? -1 : clB.getLong(); return contentLength; ... is that, but I'm no sure. Anyone could help? Regards Michal Vyskocil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Where's the fix of CVE-2005-2090?
Michal Vyskocil wrote: I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint from svn commit log or bugzilla. Maybe is this commit r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line As per RFC2616, requests with multiple content-length headers are invalid. Yep, that's it. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Where's the fix of CVE-2005-2090?
Mark Thomas wrote: Michal Vyskocil wrote: I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found any hint from svn commit log or bugzilla. Maybe is this commit r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line As per RFC2616, requests with multiple content-length headers are invalid. Yep, that's it. isn't it documented incorrectly then?, we dont return 400, we just grab one of the headers. filip Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]