Hello.
Upgrading Tomcat from 10.1.25 to 10.1.33 caused our sanity tests to
fail as the "content-length" header field is no longer present in the
HEAD responses.
The application explicitly sets the content-length header on HEAD requests.
The change is traced to this commit:
commit 8e786a8eda
Author: Mark Thomas <ma...@apache.org>
Date: Thu Jan 19 20:40:10 2023 +0000
Update the default HEAD response to exclude payload headers
First explicitly allowed in RFC 7231 and also in the current RFC 9110
(I compared the tags and see that this change shows up as being
between .25 and .33 despite the older commit date).
I understand that RFC 9110 says that the application may omit headers
for which the values are determined while generating the content, but
for these endpoints the values are (a) static, and (b) explicitly set
by the servlet. But that also, at least to me, implies that if the
values are not generated, and are known, it's perfectly legal to
include them in the response.
Unfortunately, our client implementation depends on these headers
values being present in HEAD responses.
Is there a way to override this behavior?
If not, are there plans to make this behavior more customizable?
We are trying to upgrade due to CVE-2024-52316. We don't use JASPIC,
and can suppress the vulnerability check, but this will hinder any
further upgrades.
Thank you,
Pawel.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
