Details
-
Bug
-
Resolution: Done
-
Critical
-
JWS 3.0.1 DR1
-
None
Description
ASF Bug 57570 – Make processing of chunked encoding trailers an opt-in feature (align with HTTPD 2.4.12) Make the processing of trailer headers with chunked input optional and disabled by default.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57570
http://svn.apache.org/r1666395
<quote>
CVE-2013-5704 (cve.mitre.org)
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior.
</quote>
In Tomcat chunked encoding trailers are processed by ChunkedInputFilter (.parseEndChunk() -> .parseHeader()). The values are available as headers (TestChunkedInputFilter$EchoHeaderServlet)
This was implemented via bug 49860 and is available since 6.0.30, 7.0.5 in all current versions. (r1039090 in 6.0.x)
If we follow in HTTPD steps, a solution is to make processing of these trailers an opt-in feature, being off by default. A mitigation is already available with the existing features: it is possible to limit size of trailer headers via configuration.
