You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Jeff Young (Created) (JIRA)" <ji...@apache.org> on 2011/12/05 20:38:40 UTC
[jira] [Created] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Current DOS-prevention for infinity.json can prevent enumeration of children
----------------------------------------------------------------------------
Key: SLING-2320
URL: https://issues.apache.org/jira/browse/SLING-2320
Project: Sling
Issue Type: Bug
Components: Servlets
Affects Versions: Servlets Get 2.1.0
Reporter: Jeff Young
A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13165109#comment-13165109 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
The patch looks good to me - for the dependencies, you did the correct thing in just pointing to the next snapshot version. Once we do a new release of the testing module, we'll bump it up to a new minor version I think (as we added things to the api) and then adjust the dependency in the servlets pom
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163062#comment-13163062 ]
Felix Meschberger commented on SLING-2320:
------------------------------------------
Thanks for providing the patch which looks basically good.
Yet, I have the impression that ResourceTraversor and JsonResourceWriter are candidates for some rewrite ... For example the ResourceTraversor.adapt(Resource) methods uses the JsonResourceWriter to serialize a resource subtree to a String which is then parsed to get the JSONObject. This is far from clever .. (Visitor pattern comes to mind here with implementations for serialization in the JsonResourceWriter and JSONObject building in the ResourceTraversor.adapt method.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reassigned SLING-2320:
----------------------------------------
Assignee: Felix Meschberger
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler resolved SLING-2320.
-------------------------------------
Resolution: Fixed
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13162978#comment-13162978 ]
Jeff Young commented on SLING-2320:
-----------------------------------
Note: the patch has SLING-XXXX in it because I thought I had to create it before creating the JIRA issue. (And then, of course, I forgot to update it before uploading.)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163073#comment-13163073 ]
Jeff Young commented on SLING-2320:
-----------------------------------
Yeah, I was also somewhat concerned by the fact that ResourceTraversor.getParentJSONObject() will throw two exceptions *for every node traversed*. (The first is thrown because the leading "/" isn't trimmed off of pathDiff, yielding an empty path segment, and the second because the last path looked for is self, which of course doesn't exist yet.
But I didn't want to extend my remit beyond what I had been granted permission to fix....
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Young updated SLING-2320:
------------------------------
Attachment: jsonRenderer.diff
Ostensibly, this would just be a one-liner. However, I discovered that the routine ResourceTraversor:check() had a rather large side-effect: it collects all the JSON objects which will later be output. So if you don't do a check(), you don't get any output.
So I also renamed the routine (and some of its subroutines) such that the primary action is no longer a side-effect.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Young updated SLING-2320:
------------------------------
Attachment: jsonRenderer.diff
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, jsonRenderer.diff, servlet_tests.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: (was: servlets-get.patch)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163102#comment-13163102 ]
Felix Meschberger commented on SLING-2320:
------------------------------------------
Update: the other issues should be handled in separate issues.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13494013#comment-13494013 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
Looking at the current code, it creates the json on the fly with the drawback of serializing, de-serializing the json - which is due to the json writer used in all places. This seems to be the root problem
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Young updated SLING-2320:
------------------------------
Attachment: servlet_tests.patch
I've attached the first patch (a unit test for the JSON GET servlet, and some changes to the Mock classes).
The attached POM files therefore had to have some SNAPSHOT versions in them. I presume those get rolled to the next greater even microversion or something, but I wasn't sure of the exact process so I left them SNAPSHOTS.
(I'll be in Basel this Thurs/Fri, perhaps I can get some time with Felix or Carsten to go over that part just for future reference.)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-2320.
--------------------------------------
Resolution: Fixed
Fix Version/s: Servlets Get 2.1.4
Applied the patch slightly modified in Rev. 1210669
The change is from
if (maxRecursionLevels == 1) {
// some comment
} else if (count > maxResources) {
throw new RecursionTooDeepException(String.valueOf(currentLevel));
}
to
if (count > maxResources && maxRecursionLevels > 1) {
throw new RecursionTooDeepException(String.valueOf(currentLevel));
}
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163418#comment-13163418 ]
Felix Meschberger commented on SLING-2320:
------------------------------------------
Actually, if I read the patch correctly the enforced limit is only disabled if exactly one level (1.json) is requested - as indicated by the maxRecursionLevels setting. Otherwise, particularly of infinity.json the maximum is respected and enforced even on the first level as before.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: (was: servlets-get.patch)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: servlets-get.patch
I've updated the patch which avoids searching the parent and also cleans up the code
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: (was: jsonRenderer.diff)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13167650#comment-13167650 ]
Jeff Young commented on SLING-2320:
-----------------------------------
BTW: final installment is "json_get_servlet_rewrite.patch".
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Justin Edelson
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163081#comment-13163081 ]
Felix Meschberger commented on SLING-2320:
------------------------------------------
I think these are bad bugs to be fixed as well .. We can prevent these exceptions from being thrown by writing correct code, so we should.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13493968#comment-13493968 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
I'm not sure if we should fetch the whole tree twice from the resource resolver, the resources are added to a list already anyway, so why not use this data structure for the second pass?
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: servlets-get.patch
Patch which avoids serializing/deserializing of json objects
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Justin Edelson (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Edelson reassigned SLING-2320:
-------------------------------------
Assignee: Justin Edelson (was: Felix Meschberger)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Justin Edelson
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13197652#comment-13197652 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
Is this issue solved or what needs to be done?
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Justin Edelson (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Edelson reopened SLING-2320:
-----------------------------------
As I mentioned in the mailing list thread, this behavior should be configurable. Either:
1) Enable the restoration of the old behavior with a boolean property
2) Specify a different maximum number of resources for the first level (and -1 == no limit).
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Felix Meschberger (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reassigned SLING-2320:
----------------------------------------
Assignee: Felix Meschberger (was: Justin Edelson)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (SLING-2320) Current DOS-prevention
for infinity.json can prevent enumeration of children
Posted by "Jeff Young (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13162978#comment-13162978 ]
Jeff Young edited comment on SLING-2320 at 12/5/11 7:45 PM:
------------------------------------------------------------
Note: the patch has SLING-XXXX in it (rather than SLING-2320) because I thought I had to create it before creating the JIRA issue. (And then, of course, I forgot to update it before uploading.)
was (Author: jeyjey):
Note: the patch has SLING-XXXX in it because I thought I had to create it before creating the JIRA issue. (And then, of course, I forgot to update it before uploading.)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163970#comment-13163970 ]
Jeff Young commented on SLING-2320:
-----------------------------------
Felix, your change to the logic turns off the DOS limitation for infinity as well (which is encoded as -1). The second half of the if stmt should be != 1, not > 1.
I've just finished writing a unit test for the servlet, so I'll go ahead and fix this as well in the patch. I'm planning to upload two separate patches: first the unit test (with this fix in it), and then a cleanup of the exception behaviour. Sound good?
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Justin Edelson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13167591#comment-13167591 ]
Justin Edelson commented on SLING-2320:
---------------------------------------
adding unit tests patch in r1213305.
Jeff - I forgot to give you thanks in the commit message. Apologies.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Justin Edelson
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: (was: servlet_tests.patch)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13493850#comment-13493850 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
[~fmeschbe] Could you please have a look at this?
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Young updated SLING-2320:
------------------------------
Attachment: servlet_tests.patch
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, jsonRenderer.diff, servlet_tests.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13197723#comment-13197723 ]
Jeff Young commented on SLING-2320:
-----------------------------------
My last patch (which contains all the good bug fixes; see a - d above) still needs committing.
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Young updated SLING-2320:
------------------------------
Description:
A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
was:A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Labels: newbie, patch
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13494032#comment-13494032 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
I've attached a different patch which solves b) from the above list
I think the other points are more cosmetics - wdyt?
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: servlets-get.patch
Again new version which does even more code cleanup
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13494175#comment-13494175 ]
Carsten Ziegeler commented on SLING-2320:
-----------------------------------------
I've applied a slightly modified patch now which fixes a), b) and c) by directly using JSONObjects and using the same algorithm to scan the tree as before.
I'll leave this open for some days to gather potential feedback
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Young updated SLING-2320:
------------------------------
Attachment: json_get_servlet_rewrite.patch
No worries, Justin. I've got one more anyway ;)
Hopefully this is the final installment.
Rewrite of JSON GET servlet to:
a) not throw two exceptions per node finding the parent (in fact, we don't look for the parent at all anymore as the JSON rendering is now done via a second-pass, depth-first traversal rather than during the breadth-first depthCheck)
b) not serialize/de-serialize/re-serialize the JSON (also due to the above two-pass approach)
c) use ArrayLists instead of LinkedLists for breadth-first traversal (to reduce memory allocation calls)
d) not use exceptions for limiting depth
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Justin Edelson
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (SLING-2320) Current DOS-prevention
for infinity.json can prevent enumeration of children
Posted by "Jeff Young (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163073#comment-13163073 ]
Jeff Young edited comment on SLING-2320 at 12/5/11 9:45 PM:
------------------------------------------------------------
Yeah, I was also somewhat concerned by the fact that ResourceTraversor.getParentJSONObject() will throw two exceptions *for every node traversed*. (The first is thrown because the leading "/" isn't trimmed off of pathDiff, yielding an empty path segment, and the second because the last path looked for is self, which of course doesn't exist yet.)
But I didn't want to extend my remit beyond what I had been granted permission to fix....
was (Author: jeyjey):
Yeah, I was also somewhat concerned by the fact that ResourceTraversor.getParentJSONObject() will throw two exceptions *for every node traversed*. (The first is thrown because the leading "/" isn't trimmed off of pathDiff, yielding an empty path segment, and the second because the last path looked for is self, which of course doesn't exist yet.
But I didn't want to extend my remit beyond what I had been granted permission to fix....
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Attachments: jsonRenderer.diff
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Jeff Young (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13289232#comment-13289232 ]
Jeff Young commented on SLING-2320:
-----------------------------------
The 12/Dec/11 patch still needs to be applied.
Without it performance will be impaired (due to 2 exceptions being thrown per node and the result being serialized/de-serialized/re-serialized).
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
Posted by "Justin Edelson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13167590#comment-13167590 ]
Justin Edelson commented on SLING-2320:
---------------------------------------
level fix done in r1213304
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Justin Edelson
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira