You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Simon Gaeremynck (JIRA)" <ji...@apache.org> on 2010/01/21 01:26:55 UTC
[jira] Created: (SLING-1308) Node.infinity.json contains risk for
DOS.
Node.infinity.json contains risk for DOS.
-----------------------------------------
Key: SLING-1308
URL: https://issues.apache.org/jira/browse/SLING-1308
Project: Sling
Issue Type: Bug
Components: Servlets
Affects Versions: Servlets Get 2.0.8
Reporter: Simon Gaeremynck
Priority: Critical
Attachments: jsonRenderer.diff
As it is now any user can do a node.infinity.json .
If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Ian Boston (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803233#action_12803233 ]
Ian Boston commented on SLING-1308:
-----------------------------------
Happy to apply this and fix the import orders, but I am going to wait a few hours just in case anyone wants to shout.
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Priority: Critical
> Attachments: jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
Posted by Ian Boston <ie...@tfd.co.uk>.
thank you,
updated with a note.
Strange that search didnt find it.
Ian
On 22 Jan 2010, at 14:00, John Crawford wrote:
> Here is one reference
> http://cwiki.apache.org/SLING/using-curl-with-sling.html
>
> Respectfully,
> John
>
>
>
> On Thu, Jan 21, 2010 at 4:43 PM, Ian Boston <ie...@tfd.co.uk> wrote:
>
>> I have searched, and I cant find where "infinity" is documented on the
>> Sling web site, any pointers ?
>>
>> Ian
>>
>> On 21 Jan 2010, at 22:27, Ian Boston (JIRA) wrote:
>>
>>>
>>> [
>> https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510]
>>>
>>> Ian Boston commented on SLING-1308:
>>> -----------------------------------
>>>
>>> Patch applies ok and the integration tests passes.
>>>
>>> However, I have reverted the changes to the Sling API to eliminate the
>> need to depend on a later version of the API.
>>> Also there was a license header missing, added in.
>>>
>>> Other than that LGTM,
>>> I will go and find the doc and update that as well.
>>>
>>>> Node.infinity.json contains risk for DOS.
>>>> -----------------------------------------
>>>>
>>>> Key: SLING-1308
>>>> URL: https://issues.apache.org/jira/browse/SLING-1308
>>>> Project: Sling
>>>> Issue Type: Bug
>>>> Components: Servlets
>>>> Affects Versions: Servlets Get 2.0.8
>>>> Reporter: Simon Gaeremynck
>>>> Assignee: Ian Boston
>>>> Priority: Critical
>>>> Attachments: jsonRenderer.diff, jsonRenderer.diff
>>>>
>>>>
>>>> As it is now any user can do a node.infinity.json .
>>>> If this happens on the root node in a repository with many items, it
>> will cause the server to slow down (eventually crash?)
>>>> I've created a patch confirming the discussion @
>> http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
>>>
>>> --
>>> This message is automatically generated by JIRA.
>>> -
>>> You can reply to this email to add a comment to the issue online.
>>>
>>
>>
Re: [jira] Commented: (SLING-1308) Node.infinity.json contains risk
for DOS.
Posted by John Crawford <cr...@gmail.com>.
Here is one reference
http://cwiki.apache.org/SLING/using-curl-with-sling.html
Respectfully,
John
On Thu, Jan 21, 2010 at 4:43 PM, Ian Boston <ie...@tfd.co.uk> wrote:
> I have searched, and I cant find where "infinity" is documented on the
> Sling web site, any pointers ?
>
> Ian
>
> On 21 Jan 2010, at 22:27, Ian Boston (JIRA) wrote:
>
> >
> > [
> https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510]
> >
> > Ian Boston commented on SLING-1308:
> > -----------------------------------
> >
> > Patch applies ok and the integration tests passes.
> >
> > However, I have reverted the changes to the Sling API to eliminate the
> need to depend on a later version of the API.
> > Also there was a license header missing, added in.
> >
> > Other than that LGTM,
> > I will go and find the doc and update that as well.
> >
> >> Node.infinity.json contains risk for DOS.
> >> -----------------------------------------
> >>
> >> Key: SLING-1308
> >> URL: https://issues.apache.org/jira/browse/SLING-1308
> >> Project: Sling
> >> Issue Type: Bug
> >> Components: Servlets
> >> Affects Versions: Servlets Get 2.0.8
> >> Reporter: Simon Gaeremynck
> >> Assignee: Ian Boston
> >> Priority: Critical
> >> Attachments: jsonRenderer.diff, jsonRenderer.diff
> >>
> >>
> >> As it is now any user can do a node.infinity.json .
> >> If this happens on the root node in a repository with many items, it
> will cause the server to slow down (eventually crash?)
> >> I've created a patch confirming the discussion @
> http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
> >
> > --
> > This message is automatically generated by JIRA.
> > -
> > You can reply to this email to add a comment to the issue online.
> >
>
>
Re: [jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
Posted by Ian Boston <ie...@tfd.co.uk>.
I have searched, and I cant find where "infinity" is documented on the Sling web site, any pointers ?
Ian
On 21 Jan 2010, at 22:27, Ian Boston (JIRA) wrote:
>
> [ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510 ]
>
> Ian Boston commented on SLING-1308:
> -----------------------------------
>
> Patch applies ok and the integration tests passes.
>
> However, I have reverted the changes to the Sling API to eliminate the need to depend on a later version of the API.
> Also there was a license header missing, added in.
>
> Other than that LGTM,
> I will go and find the doc and update that as well.
>
>> Node.infinity.json contains risk for DOS.
>> -----------------------------------------
>>
>> Key: SLING-1308
>> URL: https://issues.apache.org/jira/browse/SLING-1308
>> Project: Sling
>> Issue Type: Bug
>> Components: Servlets
>> Affects Versions: Servlets Get 2.0.8
>> Reporter: Simon Gaeremynck
>> Assignee: Ian Boston
>> Priority: Critical
>> Attachments: jsonRenderer.diff, jsonRenderer.diff
>>
>>
>> As it is now any user can do a node.infinity.json .
>> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
>> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Ian Boston (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510 ]
Ian Boston commented on SLING-1308:
-----------------------------------
Patch applies ok and the integration tests passes.
However, I have reverted the changes to the Sling API to eliminate the need to depend on a later version of the API.
Also there was a license header missing, added in.
Other than that LGTM,
I will go and find the doc and update that as well.
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Assignee: Ian Boston
> Priority: Critical
> Attachments: jsonRenderer.diff, jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Simon Gaeremynck (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803250#action_12803250 ]
Simon Gaeremynck commented on SLING-1308:
-----------------------------------------
Yes, I removed the Location header as you said in your last mail in the thread.
The bug must have crept in when I removed the response.setHeader line.
Serves me right for not testing it again.
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Priority: Critical
> Attachments: jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Simon Gaeremynck (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon Gaeremynck updated SLING-1308:
------------------------------------
Attachment: jsonRenderer.diff
Scrap the previous patch.
This one fixes the bug + adds an integration test in the launchpad/testing bundle.
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Priority: Critical
> Attachments: jsonRenderer.diff, jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Alexander Klimetschek (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803248#action_12803248 ]
Alexander Klimetschek commented on SLING-1308:
----------------------------------------------
Just to clarify: this patch does not set the Location header (AFAICS), but simply returns the possible URLs like /.1.json, /.2.json, etc. up until the maximum depth that returns a number of nodes below the configurable limit.
But there seems to be a bug in the latest patch: allowedLevel should be decremented in the loop, otherwise it seems endless:
+ while (allowedLevel >= 0) {
+ writer.value(r.getPath() + "." + tidyUrl + allowedLevel + ".json");
+ }
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Priority: Critical
> Attachments: jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Simon Gaeremynck (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon Gaeremynck updated SLING-1308:
------------------------------------
Attachment: jsonRenderer.diff
Attached patch.
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Priority: Critical
> Attachments: jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Ian Boston (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ian Boston reassigned SLING-1308:
---------------------------------
Assignee: Ian Boston
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Assignee: Ian Boston
> Priority: Critical
> Attachments: jsonRenderer.diff, jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for
DOS.
Posted by "Ian Boston (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859663#action_12859663 ]
Ian Boston commented on SLING-1308:
-----------------------------------
At the moment, I cant see where to update the documentation, as I cant find any documentation on "infinity"
> Node.infinity.json contains risk for DOS.
> -----------------------------------------
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.0.8
> Reporter: Simon Gaeremynck
> Assignee: Ian Boston
> Priority: Critical
> Attachments: jsonRenderer.diff, jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @ http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.