Jose María Zaragoza wrote:
2015-05-06 0:53 GMT+02:00 Mark Thomas <ma...@apache.org>:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2014-0230 Denial of Service
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.43
Description:
When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed.
I'm trying to understand when that behaviour is happening
When is a response returned before the request body is fully read ?
What happens when the remaining request body is read ?
Guess for Q1 : when the original request's target is an area which requires
authentication, and the request is not ?
Q2 : That is explained in the message : it is discarded.
It's just that it may be very large (and/or slow), and Tomcat may have a thread busy for a
while reading it to the end.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
