You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Ori Fine <or...@telmap.com> on 2007/04/17 18:19:33 UTC

Tomcat 5.5.23 and Multiple Content-Length Headers

Hi,

 

In Tomcat 5.5.23 and above the following under security issue was
included (CVE-2005-2090):

 

Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and
Tomcat) process a sequence of requests where one or more requests
contain multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache,
perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple
content-length headers

 

It turns out that we have mobile clients that due to technical issue
send requests with multiple content-length headers. Is there a way that
we can turn off this feature in the tomcat in order for us to be bale to
upgrade our tomcat and still support old clients?

 

Thanks,

Ori Fine

Re: Tomcat 5.5.23 and Multiple Content-Length Headers

Posted by Mark Thomas <ma...@apache.org>.

Ori Fine wrote:
> In Tomcat 5.5.23 and above the following under security issue was
> included (CVE-2005-2090):
> 
> It turns out that we have mobile clients that due to technical issue
> send requests with multiple content-length headers. Is there a way that
> we can turn off this feature in the tomcat in order for us to be bale to
> upgrade our tomcat and still support old clients?

If there is any proxy, cache, web server or similar between Tomcat and
your clients you will have a significant security risk unless you have
full control of all of these elements and can confirm they all handle
multiple content-length in exactly the same way.

There is no option to enable support for multiple content-length
headers, nor will one be added.

Your options are:
- use 5.5.22 and don't upgrade beyond this point until your technical
issue is fixed
- build your own custom version from svn and exclude the patch for
this issue
(http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Request.java?view=diff&r1=513078&r2=513079&pathrev=513079)

HTH,

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org