Hi,
In Tomcat 5.5.23 and above the following under security issue was included (CVE-2005-2090): Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers It turns out that we have mobile clients that due to technical issue send requests with multiple content-length headers. Is there a way that we can turn off this feature in the tomcat in order for us to be bale to upgrade our tomcat and still support old clients? Thanks, Ori Fine
