[
https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeff Young updated SLING-2320:
------------------------------
Attachment: servlet_tests.patch
I've attached the first patch (a unit test for the JSON GET servlet, and some
changes to the Mock classes).
The attached POM files therefore had to have some SNAPSHOT versions in them. I
presume those get rolled to the next greater even microversion or something,
but I wasn't sure of the exact process so I left them SNAPSHOTS.
(I'll be in Basel this Thurs/Fri, perhaps I can get some time with Felix or
Carsten to go over that part just for future reference.)
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
> Key: SLING-2320
> URL: https://issues.apache.org/jira/browse/SLING-2320
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.0
> Reporter: Jeff Young
> Assignee: Felix Meschberger
> Labels: newbie, patch
> Fix For: Servlets Get 2.1.4
>
> Attachments: jsonRenderer.diff, servlet_tests.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary
> method for JSON introspection of the repository hierarchy. DOS protection
> should only apply to "deep" traversals; that is, anything with a depth
> greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see:
> http://www.mail-archive.com/dev@sling.apache.org/msg13961.html.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
