You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (Created) (JIRA)" <ji...@apache.org> on 2012/03/09 14:56:58 UTC
[jira] [Created] (CXF-4172) JAXB and Form based providers are open
to the hash collision attacks
JAXB and Form based providers are open to the hash collision attacks
--------------------------------------------------------------------
Key: CXF-4172
URL: https://issues.apache.org/jira/browse/CXF-4172
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Reporter: Sergey Beryozkin
Assignee: Sergey Beryozkin
Priority: Critical
Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
JAXB based and Form providers using the Maps internally are open to the hash collision attacks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4172) JAXB and Form based providers are
open to the hash collision attacks
Posted by "Sergey Beryozkin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13226081#comment-13226081 ]
Sergey Beryozkin commented on CXF-4172:
---------------------------------------
The initial commit:
http://svn.apache.org/viewvc?rev=1298470&view=rev
> JAXB and Form based providers are open to the hash collision attacks
> --------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> JAXB based and Form providers using the Maps internally are open to the hash collision attacks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4172) Default JAX-RS JAXB, JSON and Form
providers are open to the hash collision attacks
Posted by "Sergey Beryozkin (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin updated CXF-4172:
----------------------------------
Summary: Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks (was: JAXB and Form based providers are open to the hash collision attacks)
> Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks
> -----------------------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> JAXB based and Form providers using the Maps internally are open to the hash collision attacks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4172) Default JAX-RS JAXB, JSON and Form
providers are open to the hash collision attacks
Posted by "Sergey Beryozkin (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229356#comment-13229356 ]
Sergey Beryozkin commented on CXF-4172:
---------------------------------------
A number of new contextual properties has been introduced to limit the depth of the incoming XML or JSON payloads (processed with the help of JAXB) and form payloads.
XML and JSON:
"depthTotalElementCountThreshold" - restricts the total number of elements in a given payload.
"depthInnerElementCountThreshold" - restricts the total number of child elements for a given element.
"depthInnerElementLevelThreshold" - restricts the stack depth starting from a given element (root by default).
These properties can be enforced in a number of ways. The simplest option is to enable them on individual JAX-RS endpoints. Alternatively, default CXF JAX-RS JAXBElementProvider and JSONProvider can have a 'depthProperties' set (http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java). Finally they can instead depend on DepthRestrictingStreamInterceptor (http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java) configured and added to the inbound chain.
Source and DOM Document providers will depend on DepthRestrictingStreamInterceptor.
More sophisticated properties can be introduced in the future.
Form:
"maxFormParameterCount" - restricts the number of form name-value pairs.
Note that the Servlet containers may also need to restrict the number of form parameters:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E
The clients will get HTTP 413 back whenever one of the above contextual properties can not be enforced.
*Note*: other optional XML or JSON providers may need the related third-party library enhanced to enforce the depth of the incoming payloads.
> Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks
> -----------------------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> JAXB based and Form providers using the Maps internally are open to the hash collision attacks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4172) Default JAX-RS XML, JSON and Form
providers are open to the hash collision attacks
Posted by "Sergey Beryozkin (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin updated CXF-4172:
----------------------------------
Description:
Default XML, JSON and Form providers using the Maps internally are open to the hash collision attacks.
This includes JAXBElementProvider and JSONProvider (JAXB-driven), SourceProvider, FormEncodingProvider.
was:JAXB based and Form providers using the Maps internally are open to the hash collision attacks.
Summary: Default JAX-RS XML, JSON and Form providers are open to the hash collision attacks (was: Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks)
> Default JAX-RS XML, JSON and Form providers are open to the hash collision attacks
> ----------------------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> Default XML, JSON and Form providers using the Maps internally are open to the hash collision attacks.
> This includes JAXBElementProvider and JSONProvider (JAXB-driven), SourceProvider, FormEncodingProvider.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4172) Default JAX-RS XML, JSON and Form
providers are open to the hash collision attacks
Posted by "Sergey Beryozkin (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-4172.
-----------------------------------
Resolution: Fixed
> Default JAX-RS XML, JSON and Form providers are open to the hash collision attacks
> ----------------------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> Default XML, JSON and Form providers using the Maps internally are open to the hash collision attacks.
> This includes JAXBElementProvider and JSONProvider (JAXB-driven), SourceProvider, FormEncodingProvider.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira