tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Where's the fix of CVE-2005-2090?
Date Mon, 28 Jan 2008 21:39:06 GMT
Mark Thomas wrote:
> Michal Vyskocil wrote:
>> I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found 
>> any hint from svn commit log or bugzilla.
>>
>> Maybe is this commit
>> ------------------------------------------------------------------------
>> r513079 | markt | 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) | 1 line
>>
>> As per RFC2616, requests with multiple content-length headers are 
>> invalid.
>
> Yep, that's it.
isn't it documented incorrectly then?, we dont return 400, we just grab 
one of the headers.

filip
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message