You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2017/02/02 21:42:52 UTC
[jira] [Comment Edited] (OFBIZ-9198) Missing file results in
infinite loop
[ https://issues.apache.org/jira/browse/OFBIZ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15850552#comment-15850552 ]
Jacques Le Roux edited comment on OFBIZ-9198 at 2/2/17 9:41 PM:
----------------------------------------------------------------
Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds
{code}
2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
[...]
2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since last([stream(Domain:ht...):4.066]]
{code}
But indeed it can be easily used with a massive DDOS. So this is a security issue and since it's already disclosed I make it a subtask of OFBIZ-1525
Please Ingo note that in case of security issues the ASF has some logical recommendations that we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html
Thanks
was (Author: jacques.le.roux):
Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds
{code}
2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
[...]
2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since last([stream(Domain:ht...):4.066]]
{code}
But indeed it can be easily used with a massive DDOS. So this is a security issue and since it's already disclosed I make it a subtask of OFBIZ-1525
Please Ingo note that in case of security issues the ASF has some logical recommendation that we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html
Thanks
> Missing file results in infinite loop
> -------------------------------------
>
> Key: OFBIZ-9198
> URL: https://issues.apache.org/jira/browse/OFBIZ-9198
> Project: OFBiz
> Issue Type: Sub-task
> Components: specialpurpose/ecommerce
> Affects Versions: Release Branch 13.07, Trunk, Release Branch 15.12, Release Branch 16.11
> Reporter: Ingo Wolfmayr
> Assignee: Jacques Le Roux
> Priority: Critical
> Attachments: errror.txt
>
>
> When accessing a file/image in ecommerce (only seo version) that is physically missing or the dataresource attribute isPublic=="N" the request results in an infinite loop.
> Demo data:
> <Content contentId="test" contentTypeId="DOCUMENT" dataResourceId="test" statusId="CTNT_PUBLISHED"/>
> <DataResource dataResourceId="test" dataResourceTypeId="LOCAL_FILE" dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" dataResourceName="Test Image" objectInfo="PATH TO FILE" isPublic="N" />
> <Content contentId="testurl" contentTypeId="DOCUMENT" dataResourceId="testurl" statusId="CTNT_PUBLISHED"/>
> <DataResource dataResourceId="testurl" dataResourceTypeId="URL_RESOURCE" dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" objectInfo="/testbild-content" isPublic="N"/>
> <ContentAssoc contentId="test" contentIdTo="testurl" contentAssocTypeId="ALTERNATE_URL" fromDate="2006-09-22 00:00:00.0"/>
> Call:
> /ecomseo/testbild-content
> /ecomseo/stream?contentId=test
> I found that because I had server problems (server down), so it is quite easy to kill the server by streaming a not existing contentId via via the ecomseo app.
> /ecomseo/stream?contentId=test1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)