Chris, On Thu, Nov 21, 2024 at 1:51 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Pawel, > > On 11/19/24 7:52 PM, Pawel Veselov wrote: > > On Wed, Nov 20, 2024 at 1:26 AM Pawel Veselov <pawel.vese...@gmail.com> > > wrote: > >> > >> Hello. > >> > >> Upgrading Tomcat from 10.1.25 to 10.1.33 caused our sanity tests to > >> fail as the "content-length" header field is no longer present in the > >> HEAD responses. > >> > >> The application explicitly sets the content-length header on HEAD requests. > >> > >> The change is traced to this commit: > >> > >> commit 8e786a8eda > >> Author: Mark Thomas <ma...@apache.org> > >> Date: Thu Jan 19 20:40:10 2023 +0000 > >> Update the default HEAD response to exclude payload headers > >> First explicitly allowed in RFC 7231 and also in the current RFC 9110 > > > > After a bit more of digging around. The commit, as went into 10.1.x: > > > > commit b9198b0e35 > > Author: Mark Thomas <ma...@apache.org> > > Date: Thu Jan 19 20:40:10 2023 +0000 > > Update the default HEAD response to exclude payload headers > > First explicitly allowed in RFC 7231 and also in the current RFC 9110. > > Servlet 6.0 references RFC 7231 > > Fixes BZ https://bz.apache.org/bugzilla/show_bug.cgi?id=69379 > > > > I understand that #69379 complained about spurious content-length: 0, > > but I think the change that kills them completely is even a more serious > > regression. > > +1 > > One of the most often used use-cases for HEAD is to find out how big the > resource is before requesting the whole thing, right?
Exactly. And now with CVE-2024-52318, which requires at least 10.1.32, having been published, we are in a bigger jam - this change was introduced in 10.1.32. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
