https://bz.apache.org/bugzilla/show_bug.cgi?id=65979
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
As per RFC 7230:
<quote>
A sender MUST NOT send a Content-Length header field in any message that
contains a Transfer-Encoding header field.
</quote>
That is sufficient justification to reject such requests with a 400 response.
However, rather than reject the request, Tomcat opted to follow the same
approach as httpd and disable keep-alive.
Note RFC 7230 is stricter here than RFC 2616.
The connection is closed as a precaution to prevent any possible exploitation
of a request smuggling attack if a) Tomcat is behind a reverse proxy and b) the
reverse proxy incorrectly uses the content-length rather than chunked encoding.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
