You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Clinton Nielsen (Created) (JIRA)" <ji...@apache.org> on 2011/12/20 21:03:30 UTC
[jira] [Created] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
--------------------------------------------------------------------------------------------------------
Key: HTTPCLIENT-1153
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.1.1
Reporter: Clinton Nielsen
Spy memcached has 250 defined as max key length:
http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
URLs can be (and often are) much longer than 250 characters.
URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Updated] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Oleg Kalnichevski (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski updated HTTPCLIENT-1153:
------------------------------------------
Fix Version/s: 4.2 Final
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1
> Reporter: Clinton Nielsen
> Fix For: 4.2 Final
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Sebb (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185211#comment-13185211 ]
Sebb commented on HTTPCLIENT-1153:
----------------------------------
Do we need to be careful to avoid the recently announced hashtable collision DoS vulnerability which can arise from the Java hashtable implementation [1] ?
AIUI, the issue is that by carefully chosen input, an attacker can deliberately cause hash collisions; in turn these cause extra CPU to be used.
[1] http://www.nruns.com/_downloads/advisory28122011.pdf
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Oleg Kalnichevski (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188068#comment-13188068 ]
Oleg Kalnichevski commented on HTTPCLIENT-1153:
-----------------------------------------------
@Jon: Ideally all new features, especially substantial like this one, should go through a BETA testing phase. Personally I would not merge to the 4.1.x branch, but will not object should you decide otherwise. Your opinion matters as much as mine.
Oleg
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Clinton Nielsen (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13187826#comment-13187826 ]
Clinton Nielsen commented on HTTPCLIENT-1153:
---------------------------------------------
@Jon: Yeah, I took a brief look through the code and it looks good.
One suggestion I have is that java.security.MessageDigest, as I understand it, it not threadsafe. So if multiple threads are trying to use MemcachedHttpCacheStorage (and even if they all have their own instance of the same), the MessageDigest class will always be using the same underlying instance and therefore one thread might stomp another while trying to generate a hash.
Consider cloning the MessageDigest instance or synchronizing the creation of the hash.
Thanks.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185226#comment-13185226 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
@Sebb: I don't think this applies to us, as we're not using a HashMap. Rather, I'm applying a hash function to map one set of values (the URLs the caching layer uses as cache keys) to another set of values (keys short enough to fit in the 250-byte constraint). The actual data structure (if any) that might be affected here would be in memcached. However, I'm planning on using a cryptographic hash algorithm, so it's unlikely to be subject to the types of the attacks described in the vulnerability (e.g. the very simple hash functions commonly used for Object#hashCode()).
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188037#comment-13188037 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
@Oleg - I'm ready to backport this to the 4.1.x branch but would like to hear your opinion on the deprecated constructor at least before I do.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188462#comment-13188462 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
I'm somewhat torn here, because this is a bug currently, not a new feature. I'm going to research what the memcached client does when it gets a key that's too long; if it silently ignores it (i.e. doesn't do the put, and returns null for a get) or throws an exception we can catch where we can treat it the same way, then I'm ok not backporting this more thorough fix, as we won't have correctness problems (we just won't get effective caching, which while not optimal, is still compliant). If it truncates the key instead, though, then we could have cache collisions that would result in incorrect behavior, and I'd be more likely to want to backport the fix.
I'll see what I can find out and will post an update.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13187812#comment-13187812 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
Ok, just checked in the implementation here. Worth discussing: I ended up deprecating one of the existing constructors (one that took a custom serializer) because I had to change the serialization mechanism to accommodate fixing this bug. I somewhat suspect few folks would have been using custom serializers anyway, but there is a new constructor and some new interfaces that can be implemented if custom serialization is still desired.
I chose SHA-256 as the default hashing scheme here. Do you think it is worth implementing fallback algorithms based on SHA-1 or MD5? I'm somewhat inclined to just let others contribute them if desired. The current default scheme with SHA-256 essentially resorts to not caching at all if it can't find a SHA-256 algorithm, which might not be great for a default. Falling back to a weaker algorithm is probably not hard, so perhaps I'll look at that next.
At any rate, the KeyHashingScheme interface should let us also provide a prefix-naming scheme to solve HTTPCLIENT-1154 as well.
@Clinton: does this work for you?
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13187991#comment-13187991 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
@Clinton: I was aware of the thread safety issues with MessageDigest, which is why I'm getting a new instance of it for each hash. I just verified that two subsequent calls to MessageDigest.getInstance() return distinct objects, so I think we're ok there.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188508#comment-13188508 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
Stopgap bugfix checked into 4.1.x as described. This is the lowest-risk solution to the problem; restores correct behavior at the cost of not caching those urls (which it wasn't doing anyway; but at least this way the client can proceed with a non-cached backend request).
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Resolved] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jon Moore resolved HTTPCLIENT-1153.
-----------------------------------
Resolution: Fixed
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Updated] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jon Moore updated HTTPCLIENT-1153:
----------------------------------
Description:
Spy memcached has 250 defined as max key length:
http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
URLs can be (and often are) much longer than 250 characters.
URLs should be hashed before being used as keys.
was:
Spy memcached has 250 defined as max key length:
http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
URLs can be (and often are) much longer than 250 characters.
URLs should be hashed before being used as keys.
Affects Version/s: 4.1.2
Fix Version/s: (was: 4.2 Final)
4.2 Alpha2
4.1.3
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188468#comment-13188468 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
Ok, I looked into the spy-memcached source, and it throws an IllegalArgumentException when it encounters a key that's too long. I think, then, that there's a simpler fix similar to what we did for HTTPCLIENT-1157, where we catch the IllegalArgumentException and re-throw it as an IOException (which the CachingHttpClient can then handle gracefully). I'll work up a patch for that for the 4.1.x branch.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Issue Comment Edited] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Clinton Nielsen (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13187826#comment-13187826 ]
Clinton Nielsen edited comment on HTTPCLIENT-1153 at 1/17/12 5:43 PM:
----------------------------------------------------------------------
@Jon: Yeah, I took a brief look through the code and it looks good.
One suggestion I have is that java.security.MessageDigest, as I understand it, is not threadsafe. So if multiple threads are trying to use MemcachedHttpCacheStorage (and even if they all have their own instance of the same), the MessageDigest class will always be using the same underlying instance and therefore one thread might stomp another while trying to generate a hash.
Consider cloning the MessageDigest instance or synchronizing the creation of the hash.
Thanks.
was (Author: tinclon):
@Jon: Yeah, I took a brief look through the code and it looks good.
One suggestion I have is that java.security.MessageDigest, as I understand it, it not threadsafe. So if multiple threads are trying to use MemcachedHttpCacheStorage (and even if they all have their own instance of the same), the MessageDigest class will always be using the same underlying instance and therefore one thread might stomp another while trying to generate a hash.
Consider cloning the MessageDigest instance or synchronizing the creation of the hash.
Thanks.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Assigned] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jon Moore reassigned HTTPCLIENT-1153:
-------------------------------------
Assignee: Jon Moore
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.2 Final
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Jon Moore (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185192#comment-13185192 ]
Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------
Hey all, I'm starting to work on this. I realized once we start hashing the keys there is a possibility (however remote) that we'll get collisions, so I am working on a not-overly-complicated solution to serialize the original URL key in with the cache entry itself, so it can be compared when we retrieve it. I'll be sure to go back around and add all the proper factory/interface/dependency-injection framework to make sure it's extensible.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] [Commented] (HTTPCLIENT-1153)
org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses
URL as cache key - shouldn't.
Posted by "Clinton Nielsen (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188036#comment-13188036 ]
Clinton Nielsen commented on HTTPCLIENT-1153:
---------------------------------------------
Ah, very good then. Thanks for confirming.
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1153
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.1.1, 4.1.2
> Reporter: Clinton Nielsen
> Assignee: Jon Moore
> Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org