[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: (was: servlets-get.patch) > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, > servlets-get.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: servlets-get.patch Again new version which does even more code cleanup > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, > servlets-get.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: servlets-get.patch I've updated the patch which avoids searching the parent and also cleans up the code > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, > servlets-get.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: (was: servlets-get.patch) > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, > servlets-get.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: servlets-get.patch Patch which avoids serializing/deserializing of json objects > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: json_get_servlet_rewrite.patch, jsonRenderer.diff, > servlets-get.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Young updated SLING-2320: -- Attachment: json_get_servlet_rewrite.patch No worries, Justin. I've got one more anyway ;) Hopefully this is the final installment. Rewrite of JSON GET servlet to: a) not throw two exceptions per node finding the parent (in fact, we don't look for the parent at all anymore as the JSON rendering is now done via a second-pass, depth-first traversal rather than during the breadth-first depthCheck) b) not serialize/de-serialize/re-serialize the JSON (also due to the above two-pass approach) c) use ArrayLists instead of LinkedLists for breadth-first traversal (to reduce memory allocation calls) d) not use exceptions for limiting depth > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Justin Edelson > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, > servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: (was: jsonRenderer.diff) > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: jsonRenderer.diff, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-2320: Attachment: (was: servlet_tests.patch) > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: jsonRenderer.diff, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Young updated SLING-2320: -- Attachment: jsonRenderer.diff > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: jsonRenderer.diff, jsonRenderer.diff, > servlet_tests.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Young updated SLING-2320: -- Attachment: servlet_tests.patch > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: jsonRenderer.diff, jsonRenderer.diff, > servlet_tests.patch, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Young updated SLING-2320: -- Attachment: servlet_tests.patch I've attached the first patch (a unit test for the JSON GET servlet, and some changes to the Mock classes). The attached POM files therefore had to have some SNAPSHOT versions in them. I presume those get rolled to the next greater even microversion or something, but I wasn't sure of the exact process so I left them SNAPSHOTS. (I'll be in Basel this Thurs/Fri, perhaps I can get some time with Felix or Carsten to go over that part just for future reference.) > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young >Assignee: Felix Meschberger > Labels: newbie, patch > Fix For: Servlets Get 2.1.4 > > Attachments: jsonRenderer.diff, servlet_tests.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Young updated SLING-2320: -- Attachment: jsonRenderer.diff Ostensibly, this would just be a one-liner. However, I discovered that the routine ResourceTraversor:check() had a rather large side-effect: it collects all the JSON objects which will later be output. So if you don't do a check(), you don't get any output. So I also renamed the routine (and some of its subroutines) such that the primary action is no longer a side-effect. > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young > Labels: newbie, patch > Attachments: jsonRenderer.diff > > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children
[ https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Young updated SLING-2320: -- Description: A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json). For a fuller discussion, see: http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. was:A request of resource.1.json should always succeed, as it's the primary method for JSON introspection of the repository hierarchy. DOS protection should only apply to "deep" traversals; that is, anything with a depth greater than 1 (and, in particular, resource.infinity.json). > Current DOS-prevention for infinity.json can prevent enumeration of children > > > Key: SLING-2320 > URL: https://issues.apache.org/jira/browse/SLING-2320 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.1.0 >Reporter: Jeff Young > Labels: newbie, patch > Original Estimate: 1h > Remaining Estimate: 1h > > A request of resource.1.json should always succeed, as it's the primary > method for JSON introspection of the repository hierarchy. DOS protection > should only apply to "deep" traversals; that is, anything with a depth > greater than 1 (and, in particular, resource.infinity.json). > For a fuller discussion, see: > http://www.mail-archive.com/dev@sling.apache.org/msg13961.html. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
