rmaucher commented on PR #579: URL: https://github.com/apache/tomcat/pull/579#issuecomment-1415375850
Of course, some instances of these status codes would be "ok" to recover from, but Mark is actually right: it is not going to be deterministic. Also it is not possible to add "defensive" code since starting to decode random bytes in a random location will allow request smuggling (a proxy and Tomcat have to both "see" the same HTTP requests coming in and process them the same way). If you are using Tomcat without proxying of any kind (that happens very often, right ?), then it is less dangerous although there is some DoS potential on HTTP header parsing errors. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
