You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Amarendra Godbole <am...@gmail.com> on 2015/02/13 23:36:43 UTC
Revision 1601333 - Fix for CVE-2014-0227
Hello,
This is my first post, and thank you the Apache team for bring us
Tomcat. Your hard work is greatly appreciated!
I have a query about the fix for request smuggling issue
(CVE-2014-0227) -- when I inspected revision 1601333, I fail to
understand what the fix is, since all the patch seems to do is some
i18n cleanup, and add a boolean variable "error". Or did I miss
something?
Thanks.
-Amarendra
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Revision 1601333 - Fix for CVE-2014-0227
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Amarendra Godbole [mailto:amarendra.godbole@gmail.com]
> Subject: Revision 1601333 - Fix for CVE-2014-0227
> I have a query about the fix for request smuggling issue
> (CVE-2014-0227) -- when I inspected revision 1601333, I fail to
> understand what the fix is, since all the patch seems to do is some
> i18n cleanup, and add a boolean variable "error". Or did I miss
> something?
You missed the code at the end of the module that sets the error flag, the new method to check the flag, and the call to that method. The checkError() method is invoked in the doRead() method to insure nothing more is processed in this request.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org