[Bug 64144] New: Add an option for rejecting requests that have both CL and TE

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64144] New: Add an option for rejecting requests that have both CL and TE

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64144

            Bug ID: 64144
           Summary: Add an option for rejecting requests that have both CL
                    and TE
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: -----

According https://tools.ietf.org/html/rfc7230#section-3.3.3
If a message is received with both a TE and a CL header field, the TE overrides
the CL. Such a message might indicate an attempt to perform an attack and ought
to be handled as an error.
This feature request is for adding an option for rejecting requests that have
both CL and TE so that Tomcat is protected against misbehaving third-party
components.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64144] Add an option for rejecting requests that have both CL and TE

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64144

Violeta Georgieva <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]