You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Jeff Young (JIRA)" <ji...@apache.org> on 2012/06/05 10:12:25 UTC
[jira] [Commented] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13289232#comment-13289232 ]
Jeff Young commented on SLING-2320:
-----------------------------------
The 12/Dec/11 patch still needs to be applied.
Without it performance will be impaired (due to 2 exceptions being thrown per node and the result being serialized/de-serialized/re-serialized).
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira