You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Tim Wintle (JIRA)" <ji...@apache.org> on 2008/10/27 14:08:44 UTC
[jira] Created: (SHINDIG-662) Check protocol for proxy requests
Check protocol for proxy requests
---------------------------------
Key: SHINDIG-662
URL: https://issues.apache.org/jira/browse/SHINDIG-662
Project: Shindig
Issue Type: Bug
Components: Gadget Rendering Server (PHP)
Environment: Multiple *nix
Reporter: Tim Wintle
ProxyHandler does not check the protocol of requests.
-> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time.
(The request was not passed back to the client, but this bug opens up a possibility for dos attack)
Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-662) Check protocol for proxy requests
Posted by "Tim Wintle (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Wintle updated SHINDIG-662:
-------------------------------
Attachment: (was: fix_noProtocolCheck_bug.patch)
> Check protocol for proxy requests
> ---------------------------------
>
> Key: SHINDIG-662
> URL: https://issues.apache.org/jira/browse/SHINDIG-662
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (PHP)
> Environment: Multiple *nix
> Reporter: Tim Wintle
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time.
> (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SHINDIG-662) Check protocol for proxy requests
Posted by "Chris Chabot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Chabot resolved SHINDIG-662.
----------------------------------
Resolution: Fixed
Assignee: Chris Chabot
I did change the patch slightly to raise exceptions instead of setting the url to "" on an invalid protocol (more consistent with the rest of the project) but other then that it looks good to me.
Fix's been committed, thanks for the patch!
> Check protocol for proxy requests
> ---------------------------------
>
> Key: SHINDIG-662
> URL: https://issues.apache.org/jira/browse/SHINDIG-662
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (PHP)
> Environment: Multiple *nix
> Reporter: Tim Wintle
> Assignee: Chris Chabot
> Attachments: fix_662_bug_2.patch
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time.
> (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-662) Check protocol for proxy requests
Posted by "Tim Wintle (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Wintle updated SHINDIG-662:
-------------------------------
Attachment: fix_noProtocolCheck_bug.patch
Simple fix to ProxyHandler to check for protocol
> Check protocol for proxy requests
> ---------------------------------
>
> Key: SHINDIG-662
> URL: https://issues.apache.org/jira/browse/SHINDIG-662
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (PHP)
> Environment: Multiple *nix
> Reporter: Tim Wintle
> Attachments: fix_noProtocolCheck_bug.patch
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time.
> (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-662) Check protocol for proxy requests
Posted by "Tim Wintle (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Wintle updated SHINDIG-662:
-------------------------------
Attachment: fix_662_bug_2.patch
Previous patch had incorrect variable name
> Check protocol for proxy requests
> ---------------------------------
>
> Key: SHINDIG-662
> URL: https://issues.apache.org/jira/browse/SHINDIG-662
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (PHP)
> Environment: Multiple *nix
> Reporter: Tim Wintle
> Attachments: fix_662_bug_2.patch
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time.
> (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.