[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163073#comment-13163073 ]
Jeff Young edited comment on SLING-2320 at 12/5/11 9:45 PM: ------------------------------------------------------------ Yeah, I was also somewhat concerned by the fact that ResourceTraversor.getParentJSONObject() will throw two exceptions *for every node traversed*. (The first is thrown because the leading "/" isn't trimmed off of pathDiff, yielding an empty path segment, and the second because the last path looked for is self, which of course doesn't exist yet.) But I didn't want to extend my remit beyond what I had been granted permission to fix.... was (Author: jeyjey): Yeah, I was also somewhat concerned by the fact that ResourceTraversor.getParentJSONObject() will throw two exceptions *for every node traversed*. (The first is thrown because the leading "/" isn't trimmed off of pathDiff, yielding an empty path segment, and the second because the last path looked for is self, which of course doesn't exist yet. But I didn't want to extend my remit beyond what I had been granted permission to fix.... > Current DOS-prevention for infinity.json can prevent enumeration of children > ---------------------------------------------------------------------------- > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets > Affects Versions: Servlets Get 2.1.0 > Reporter: Jeff Young > Assignee: Felix Meschberger > Labels: newbie, patch > Attachments: jsonRenderer.diff > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira