2015-05-06 13:59 GMT+02:00 Mark Thomas <ma...@apache.org>: > On 06/05/2015 09:14, André Warnier wrote: >> Jose María Zaragoza wrote: >>> 2015-05-06 0:53 GMT+02:00 Mark Thomas <ma...@apache.org>: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA256 >>>> >>>> CVE-2014-0230 Denial of Service >>>> >>>> Severity: Low >>>> >>>> Vendor: The Apache Software Foundation >>>> >>>> Versions Affected: >>>> - - Apache Tomcat 8.0.0-RC1 to 8.0.8 >>>> - - Apache Tomcat 7.0.0 to 7.0.54 >>>> - - Apache Tomcat 6.0.0 to 6.0.43 >>>> >>>> Description: >>>> When a response for a request with a request body is returned to the >>>> user agent before the request body is fully read, by default Tomcat >>>> swallows the remaining request body so that the next request on the >>>> connection may be processed. >>> >>> >>> I'm trying to understand when that behaviour is happening >>> When is a response returned before the request body is fully read ? >>> What happens when the remaining request body is read ? >>> >> >> Guess for Q1 : when the original request's target is an area which >> requires authentication, and the request is not ? > > Yes that is one case. Generally these are error conditions. Either > Tomcat or the app knows after reading the headers (and maybe the first > part of the response body) exactly what the response is going to be and > that the rest of the request body can be skipped. Although Tomcat > ignores the remainder of the body it needs to read it as most clients > don't read the response until the client has fully written the request > (which means Tomcat has to read it). > >> Q2 : That is explained in the message : it is discarded. >> It's just that it may be very large (and/or slow), and Tomcat may have a >> thread busy for a while reading it to the end. > > Exactly. The only reason this gets classed as a DoS (and it was on the > border of being/not being a vulnerability is that Tomcat didn't place > any limit on how much data it would read and ignore. There are easier > ways to DoS a Tomcat server than use this vector. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Great. Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org