You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Tim Wintle (JIRA)" <ji...@apache.org> on 2008/10/27 14:08:44 UTC

[jira] Created: (SHINDIG-662) Check protocol for proxy requests

Check protocol for proxy requests
---------------------------------

                 Key: SHINDIG-662
                 URL: https://issues.apache.org/jira/browse/SHINDIG-662
             Project: Shindig
          Issue Type: Bug
          Components: Gadget Rendering Server (PHP)
         Environment: Multiple *nix
            Reporter: Tim Wintle


ProxyHandler does not check the protocol of requests.

-> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time. 
    (The request was not passed back to the client, but this bug opens up a possibility for dos attack)

Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SHINDIG-662) Check protocol for proxy requests

Posted by "Tim Wintle (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tim Wintle updated SHINDIG-662:
-------------------------------

    Attachment:     (was: fix_noProtocolCheck_bug.patch)

> Check protocol for proxy requests
> ---------------------------------
>
>                 Key: SHINDIG-662
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-662
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadget Rendering Server (PHP)
>         Environment: Multiple *nix
>            Reporter: Tim Wintle
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time. 
>     (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (SHINDIG-662) Check protocol for proxy requests

Posted by "Chris Chabot (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Chabot resolved SHINDIG-662.
----------------------------------

    Resolution: Fixed
      Assignee: Chris Chabot

I did change the patch slightly to raise exceptions instead of setting the url to "" on an invalid protocol (more consistent with the rest of the project) but other then that it looks good to me.

Fix's been committed, thanks for the patch!

> Check protocol for proxy requests
> ---------------------------------
>
>                 Key: SHINDIG-662
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-662
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadget Rendering Server (PHP)
>         Environment: Multiple *nix
>            Reporter: Tim Wintle
>            Assignee: Chris Chabot
>         Attachments: fix_662_bug_2.patch
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time. 
>     (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SHINDIG-662) Check protocol for proxy requests

Posted by "Tim Wintle (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tim Wintle updated SHINDIG-662:
-------------------------------

    Attachment: fix_noProtocolCheck_bug.patch

Simple fix to ProxyHandler to check for protocol

> Check protocol for proxy requests
> ---------------------------------
>
>                 Key: SHINDIG-662
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-662
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadget Rendering Server (PHP)
>         Environment: Multiple *nix
>            Reporter: Tim Wintle
>         Attachments: fix_noProtocolCheck_bug.patch
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time. 
>     (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SHINDIG-662) Check protocol for proxy requests

Posted by "Tim Wintle (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tim Wintle updated SHINDIG-662:
-------------------------------

    Attachment: fix_662_bug_2.patch

Previous patch had incorrect variable name

> Check protocol for proxy requests
> ---------------------------------
>
>                 Key: SHINDIG-662
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-662
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadget Rendering Server (PHP)
>         Environment: Multiple *nix
>            Reporter: Tim Wintle
>         Attachments: fix_662_bug_2.patch
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]" successfully tied up the server for 30 seconds of cpu time. 
>     (The request was not passed back to the client, but this bug opens up a possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or ftp protocols if a protocol is specified.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.