Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 77C671852F for ; Wed, 6 May 2015 08:15:45 +0000 (UTC) Received: (qmail 91351 invoked by uid 500); 6 May 2015 08:15:41 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 91288 invoked by uid 500); 6 May 2015 08:15:41 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 91273 invoked by uid 99); 6 May 2015 08:15:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 May 2015 08:15:41 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: message received from 54.191.145.13 which is an MX secondary for users@tomcat.apache.org) Received: from [54.191.145.13] (HELO mx1-us-west.apache.org) (54.191.145.13) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 May 2015 08:15:34 +0000 Received: from tor.combios.es (tor3.combios.es [185.5.236.93]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTP id 4D3EB201B9 for ; Wed, 6 May 2015 08:15:12 +0000 (UTC) Received: by tor.combios.es (Postfix, from userid 500) id 497A63C27E6; Wed, 6 May 2015 10:15:00 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tor.combios.es X-Spam-Level: Received: from [192.168.1.6] (unknown [47.59.183.117]) (Authenticated sender: andre.warnier@ice-sa.com) by tor.combios.es (Postfix) with ESMTPA id 509FD3C27E6 for ; Wed, 6 May 2015 10:14:59 +0200 (CEST) Message-ID: <5549CD5D.6000906@ice-sa.com> Date: Wed, 06 May 2015 10:14:21 +0200 From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: [SECURITY] CVE-2014-0230: Apache Tomcat DoS References: <554949D1.8030904@apache.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-102.9 required=6.0 tests=ALL_TRUSTED,BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.3.2 Jose MarĂ­a Zaragoza wrote: > 2015-05-06 0:53 GMT+02:00 Mark Thomas : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> CVE-2014-0230 Denial of Service >> >> Severity: Low >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> - - Apache Tomcat 8.0.0-RC1 to 8.0.8 >> - - Apache Tomcat 7.0.0 to 7.0.54 >> - - Apache Tomcat 6.0.0 to 6.0.43 >> >> Description: >> When a response for a request with a request body is returned to the >> user agent before the request body is fully read, by default Tomcat >> swallows the remaining request body so that the next request on the >> connection may be processed. > > > I'm trying to understand when that behaviour is happening > When is a response returned before the request body is fully read ? > What happens when the remaining request body is read ? > Guess for Q1 : when the original request's target is an area which requires authentication, and the request is not ? Q2 : That is explained in the message : it is discarded. It's just that it may be very large (and/or slow), and Tomcat may have a thread busy for a while reading it to the end. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org