[jira] [Commented] (QPID-7379) [Java Broker] Provide a mechanism to extract messages from a vhost message store and replay them into a new vhost

Thu, 15 Sep 2016 09:14:58 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-7379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15493794#comment-15493794
 ] 

Lorenz Quack commented on QPID-7379:
------------------------------------

WIP Review:
* The Content-Disposition should also use the extended "filename*" syntax for 
UTF-8 encoded filenames. (See {{AbstractQueue$MessageContent}})
* {{AbstractVirtualHost#importMessageStore}} can be used for a DoS attack by 
crafting a "store" containing just 5 bytes: "0x00 MAX_INT" which will allocate 
a byte array of 2 GB which potentially exhaust the broker's heap bringing down 
the broker with an OOM Error. Maybe we limit the version string length to 1 
byte? In that case the arbitrary {{50}} in {{data.mark(50)}} could be replaced 
with an accurate upper bound on the reads like {{1+1+256}}. TODO: check whether 
other parts of the deserializer are equally vulnerable.
* I believe the {{0}} that is expected at the beginning of 
{{AbstractVirtualHost#importMessageStore}} is actually a 
{{serializer.v1.RecordType#VERSION}}
* It might be nicer to just throw the data stream at all serializers that are 
available through the QpidServiceLoader and have them handle or reject the data 
instead of putting knowledge of the serialisation format into the 
{{AbstractVirtualHost}}

> [Java Broker] Provide a mechanism to extract messages from a vhost message 
> store and replay them into a new vhost
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7379
>                 URL: https://issues.apache.org/jira/browse/QPID-7379
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Rob Godfrey
>            Assignee: Rob Godfrey
>             Fix For: qpid-java-6.1
>
>
> QPID-7359 provided operations to extract the config from a virtual host, but 
> there are not currently any mechanisms to extract the contents of the message 
> store and replay that into a new vhost.  We should add this feature to (for 
> example) allow people to migrate their data from one vhost type to another



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to