ASF Bug 57570 – Make processing of chunked encoding trailers an opt-in feature (align with HTTPD 2.4.12). HTTPD 2.4.12 release contains a fix for the following issue:

<quote>
CVE-2013-5704 (cve.mitre.org)
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior.
</quote>

In Tomcat chunked encoding trailers are processed by ChunkedInputFilter (.parseEndChunk() -> .parseHeader()). The values are available as headers (TestChunkedInputFilter$EchoHeaderServlet)

This was implemented via bug 49860 and is available since 6.0.30, 7.0.5 in all current versions. (r1039090 in 6.0.x)

If we follow in HTTPD steps, a solution is to make processing of these trailers an opt-in feature, being off by default. A mitigation is already available with the existing features: it is possible to limit size of trailer headers via configuration.

https://bz.apache.org/bugzilla/show_bug.cgi?id=57570
http://svn.apache.org/r1666396