tomcat-dev mailing list archives

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Filip Hanik - Dev Lists <devli...@hanik.com>
Subject	Re: Where's the fix of CVE-2005-2090?
Date	Mon, 28 Jan 2008 21:39:06 GMT
Mark Thomas wrote: > Michal Vyskocil wrote: >> I'm unable to locate a patch to fix the CVE-2005-2090. I cannot found >> any hint from svn commit log or bugzilla. >> >> Maybe is this commit >> ------------------------------------------------------------------------ >> r513079 \| markt \| 2007-03-01 01:26:12 +0100 (Čt, 01 bře 2007) \| 1 line >> >> As per RFC2616, requests with multiple content-length headers are >> invalid. > > Yep, that's it. isn't it documented incorrectly then?, we dont return 400, we just grab one of the headers. filip > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org > For additional commands, e-mail: dev-help@tomcat.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org
Mime	Unnamed text/plain (inline, 8-Bit, 952 bytes)
	View raw message