You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (Commented) (JIRA)" <ji...@apache.org> on 2012/03/14 18:08:40 UTC
[jira] [Commented] (CXF-4172) Default JAX-RS JAXB, JSON and Form
providers are open to the hash collision attacks
[ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229356#comment-13229356 ]
Sergey Beryozkin commented on CXF-4172:
---------------------------------------
A number of new contextual properties has been introduced to limit the depth of the incoming XML or JSON payloads (processed with the help of JAXB) and form payloads.
XML and JSON:
"depthTotalElementCountThreshold" - restricts the total number of elements in a given payload.
"depthInnerElementCountThreshold" - restricts the total number of child elements for a given element.
"depthInnerElementLevelThreshold" - restricts the stack depth starting from a given element (root by default).
These properties can be enforced in a number of ways. The simplest option is to enable them on individual JAX-RS endpoints. Alternatively, default CXF JAX-RS JAXBElementProvider and JSONProvider can have a 'depthProperties' set (http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java). Finally they can instead depend on DepthRestrictingStreamInterceptor (http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java) configured and added to the inbound chain.
Source and DOM Document providers will depend on DepthRestrictingStreamInterceptor.
More sophisticated properties can be introduced in the future.
Form:
"maxFormParameterCount" - restricts the number of form name-value pairs.
Note that the Servlet containers may also need to restrict the number of form parameters:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E
The clients will get HTTP 413 back whenever one of the above contextual properties can not be enforced.
*Note*: other optional XML or JSON providers may need the related third-party library enhanced to enforce the depth of the incoming payloads.
> Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks
> -----------------------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> JAXB based and Form providers using the Maps internally are open to the hash collision attacks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira