On 25/11/2023 01:43, Adwait Kumar Singh wrote:
Hey Tomcat users,
I am using Async Servlets and have a question on how to safeguard my
application from Request Smuggling.
In my current setup I do the following,
1. `startAsync` on the ServletRequest.
2. Create a ReadListener and attach it to the ServletInputStream.
3. Once I have read the entire request, and onAllDataRead is invoked I
forward the original ServletRequest and ServletResponse to other parts of
my application for further processing in a separate threadpool.
4. Once all processing is done, close the async context.
Now the dilemma I am facing is since other parts of my application still
hold a reference to the ServletRequest and ServletResponse, which can
potentially be recycled if there is an error and thereby cause request
smuggling.
What's the ideal way to safeguard against this? Should I instead pass the
AsyncContext and always fetch the ServletRequest and ServletResponse from
it instead of passing the original references.
Ideal is going to vary depending on circumstance but passing the
AsyncContext would work.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
