You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Claudius Heine (JIRA)" <ji...@apache.org> on 2016/11/02 07:14:58 UTC
[jira] [Commented] (THRIFT-3930) C++ JSON protocol gets
unresponsive when feed with invalid data
[ https://issues.apache.org/jira/browse/THRIFT-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15628015#comment-15628015 ]
Claudius Heine commented on THRIFT-3930:
----------------------------------------
If I see correctly, thrift-c++ implements its own json parser, but doesn't have a complete json parsing test suite.
Since parsing JSON is not trivial (http://seriot.ch/parsing_json.html#41) we should implement a complete test suite for it, or use an existing json parser.
> C++ JSON protocol gets unresponsive when feed with invalid data
> ---------------------------------------------------------------
>
> Key: THRIFT-3930
> URL: https://issues.apache.org/jira/browse/THRIFT-3930
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.9.3
> Environment: Linux armv7
> Reporter: Pascal Bach
> Labels: security
>
> When I send invalid data to service via TJSONProtocol it gets unresponsive until all the data is processed.
> When I send for example the following string via POST:
> {{[1,"0123456789",1,0,{"1":{"str":"0123456789"}}]0123456789"}}
> The server responds with:
> {{[1,"0123456789",3,0,{"1":{"str":"Invalid method name: '0123456789'"},"2":{"i32":1}}]}}
> On the server side I get messages like:
> {{Thrift: Fri Jan 1 00:10:52 2010 TConnectedClient protocol exception: Expected '['; got '6'.}}
> This messages keep coming long after the response was already received.
> If multiple requests like the ones above are made the server is blocked for a long time doing nothing but printing the above mentioned messages.
> This allows to easily do denial of service towards the server.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)