You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2020/02/14 13:48:11 UTC

[Bug 64144] New: Add an option for rejecting requests that have both CL and TE

https://bz.apache.org/bugzilla/show_bug.cgi?id=64144

            Bug ID: 64144
           Summary: Add an option for rejecting requests that have both CL
                    and TE
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: violetagg@apache.org
  Target Milestone: -----

According https://tools.ietf.org/html/rfc7230#section-3.3.3
If a message is received with both a TE and a CL header field, the TE overrides
the CL. Such a message might indicate an attempt to perform an attack and ought
to be handled as an error.
This feature request is for adding an option for rejecting requests that have
both CL and TE so that Tomcat is protected against misbehaving third-party
components.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64144] Add an option for rejecting requests that have both CL and TE

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64144

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I'm going to mark this as fixed even though we haven't implemented the option
requested here.

The approach implemented in Tomcat is that if a request uses chunked encoding
but also defines a content length then:
- the content length is removed
- keep-alive is disabled

This allows the current request to complete as per the HTTP spec but prevents
against misbehaving 3rd party components (that may trigger request smuggling)
since disabling keep-alive prevents any request smuggling occurring.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64144] Add an option for rejecting requests that have both CL and TE

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64144

Violeta Georgieva <vi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org