You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Carsten Ziegeler (JIRA)" <ji...@apache.org> on 2012/11/09 16:00:14 UTC
[jira] [Updated] (SLING-2320) Current DOS-prevention for
infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler updated SLING-2320:
------------------------------------
Attachment: servlets-get.patch
Patch which avoids serializing/deserializing of json objects
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, servlets-get.patch, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira