Return-Path: <users-return-261127-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 39AEF200C5C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 20 Apr 2017 19:22:15 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 38751160B9F; Thu, 20 Apr 2017 17:22:15 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id A7F32160B90
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 20 Apr 2017 19:22:14 +0200 (CEST)
Received: (qmail 78290 invoked by uid 500); 20 Apr 2017 17:22:13 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 78280 invoked by uid 99); 20 Apr 2017 17:22:13 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Apr 2017 17:22:13 +0000
Received: from s2laptop.dev.local (host86-172-128-220.range86-172.btcentralplus.com [86.172.128.220])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id B4C541A0321
	for <users@tomcat.apache.org>; Thu, 20 Apr 2017 17:22:12 +0000 (UTC)
Subject: Re: Reg Sendfile Feature
To: Tomcat Users List <users@tomcat.apache.org>
References: <CA+S=mq4Zyd3WCVzcEEd_VGE0bup69e_a-S+fOb_EU04z+YzKgQ@mail.gmail.com>
From: Mark Thomas <markt@apache.org>
Message-ID: <c8cbd828-8abb-fbbd-1317-ae3ae4f10ada@apache.org>
Date: Thu, 20 Apr 2017 18:22:11 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CA+S=mq4Zyd3WCVzcEEd_VGE0bup69e_a-S+fOb_EU04z+YzKgQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
archived-at: Thu, 20 Apr 2017 17:22:15 -0000

On 20/04/2017 17:14, Durga Srinivasu Karuturi wrote:
> Hi,
> 
> We are trying to analyze two of the below CVEs related to tomcat sendfile
> feature.
> 
> CVE-2017-5647 (Production tomcat 8.0.26)
> CVE-2017-5651(Current tomcat 8.5.12)
> 
> We are enabling compression with NIO connector.
> 
> As per docs, connector level by default sendfile is enabled and sendfile
> takes precedence over compression.
> 
> We are not setting any request attribute "org.apache.tomcat.sendfile.support"
> to enable this support also.
> 
> With this can we assume sendfile will not be used and these two CVEs are
> not application for us.

No.

> Or Do we need to disable connector level to completed turnoff sendfile?
> 
> Please clarify.

send file will still be used for static content unless send file is
disabled on the connector.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org