Hi Mark, > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, May 27, 2014 4:33 PM
<snip> > Yes, you need to have a content-length above Long.MAX_VALUE for > problems > to occur. That would be unusual to say the least for most (all?) > applications in normal usage but easy for a malicious user to set. > > If the proxy handles the header correctly, the attacker is going to have > to send a *lot* of data to get this to work. Where things would get > interesting is if the proxy and Tomcat both had parsing issues but ended > up with different values. That would make request smuggling a lot easier. > > Something else to consider. If an attacker can trigger this > "request/response offset" then any subsequent requests they make could > receive responses that contain data from other users. Even if they can't > control what that data is, that is still information disclosure. OK, thanks for the clarification! Regards, Konstantin Preißer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
