gksxodnd007 commented on PR #579: URL: https://github.com/apache/tomcat/pull/579#issuecomment-1414693058
@markt-asf I see the reactor netty code to check how they close the connection when the current request was not fully read. they also close the connection even though that is keep-alive, when the decode processing of the request failed. how about adding defensive code to prevent the request smuggling risks? if I add the code, would you reconsider about dropping the connection by HTTP status code? ref: - https://github.com/reactor/reactor-netty/blob/c71ebe4372f35496eb04471355ea84739bc6381a/reactor-netty-http/src/main/java/reactor/netty/http/server/HttpTrafficHandler.java#L193-L197 - https://github.com/reactor/reactor-netty/blob/c71ebe4372f35496eb04471355ea84739bc6381a/reactor-netty-http/src/main/java/reactor/netty/http/server/HttpTrafficHandler.java#L280-L283 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
