Ori Fine wrote: > In Tomcat 5.5.23 and above the following under security issue was > included (CVE-2005-2090): > > It turns out that we have mobile clients that due to technical issue > send requests with multiple content-length headers. Is there a way that > we can turn off this feature in the tomcat in order for us to be bale to > upgrade our tomcat and still support old clients?
If there is any proxy, cache, web server or similar between Tomcat and your clients you will have a significant security risk unless you have full control of all of these elements and can confirm they all handle multiple content-length in exactly the same way. There is no option to enable support for multiple content-length headers, nor will one be added. Your options are: - use 5.5.22 and don't upgrade beyond this point until your technical issue is fixed - build your own custom version from svn and exclude the patch for this issue (http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Request.java?view=diff&r1=513078&r2=513079&pathrev=513079) HTH, Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
