[jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859663#action_12859663 ] Ian Boston commented on SLING-1308: --- At the moment, I cant see where to update the documentation, as I cant find any documentation on "infinity" > Node.infinity.json contains risk for DOS. > - > > Key: SLING-1308 > URL: https://issues.apache.org/jira/browse/SLING-1308 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.0.8 >Reporter: Simon Gaeremynck >Assignee: Ian Boston >Priority: Critical > Attachments: jsonRenderer.diff, jsonRenderer.diff > > > As it is now any user can do a node.infinity.json . > If this happens on the root node in a repository with many items, it will > cause the server to slow down (eventually crash?) > I've created a patch confirming the discussion @ > http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: [jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
thank you, updated with a note. Strange that search didnt find it. Ian On 22 Jan 2010, at 14:00, John Crawford wrote: > Here is one reference > http://cwiki.apache.org/SLING/using-curl-with-sling.html > > Respectfully, > John > > > > On Thu, Jan 21, 2010 at 4:43 PM, Ian Boston wrote: > >> I have searched, and I cant find where "infinity" is documented on the >> Sling web site, any pointers ? >> >> Ian >> >> On 21 Jan 2010, at 22:27, Ian Boston (JIRA) wrote: >> >>> >>> [ >> https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510] >>> >>> Ian Boston commented on SLING-1308: >>> --- >>> >>> Patch applies ok and the integration tests passes. >>> >>> However, I have reverted the changes to the Sling API to eliminate the >> need to depend on a later version of the API. >>> Also there was a license header missing, added in. >>> >>> Other than that LGTM, >>> I will go and find the doc and update that as well. >>> Node.infinity.json contains risk for DOS. - Key: SLING-1308 URL: https://issues.apache.org/jira/browse/SLING-1308 Project: Sling Issue Type: Bug Components: Servlets Affects Versions: Servlets Get 2.0.8 Reporter: Simon Gaeremynck Assignee: Ian Boston Priority: Critical Attachments: jsonRenderer.diff, jsonRenderer.diff As it is now any user can do a node.infinity.json . If this happens on the root node in a repository with many items, it >> will cause the server to slow down (eventually crash?) I've created a patch confirming the discussion @ >> http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results >>> >>> -- >>> This message is automatically generated by JIRA. >>> - >>> You can reply to this email to add a comment to the issue online. >>> >> >>
Re: [jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
Here is one reference http://cwiki.apache.org/SLING/using-curl-with-sling.html Respectfully, John On Thu, Jan 21, 2010 at 4:43 PM, Ian Boston wrote: > I have searched, and I cant find where "infinity" is documented on the > Sling web site, any pointers ? > > Ian > > On 21 Jan 2010, at 22:27, Ian Boston (JIRA) wrote: > > > > >[ > https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510] > > > > Ian Boston commented on SLING-1308: > > --- > > > > Patch applies ok and the integration tests passes. > > > > However, I have reverted the changes to the Sling API to eliminate the > need to depend on a later version of the API. > > Also there was a license header missing, added in. > > > > Other than that LGTM, > > I will go and find the doc and update that as well. > > > >> Node.infinity.json contains risk for DOS. > >> - > >> > >>Key: SLING-1308 > >>URL: https://issues.apache.org/jira/browse/SLING-1308 > >>Project: Sling > >> Issue Type: Bug > >> Components: Servlets > >> Affects Versions: Servlets Get 2.0.8 > >> Reporter: Simon Gaeremynck > >> Assignee: Ian Boston > >> Priority: Critical > >>Attachments: jsonRenderer.diff, jsonRenderer.diff > >> > >> > >> As it is now any user can do a node.infinity.json . > >> If this happens on the root node in a repository with many items, it > will cause the server to slow down (eventually crash?) > >> I've created a patch confirming the discussion @ > http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results > > > > -- > > This message is automatically generated by JIRA. > > - > > You can reply to this email to add a comment to the issue online. > > > >
Re: [jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
I have searched, and I cant find where "infinity" is documented on the Sling web site, any pointers ? Ian On 21 Jan 2010, at 22:27, Ian Boston (JIRA) wrote: > >[ > https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510 > ] > > Ian Boston commented on SLING-1308: > --- > > Patch applies ok and the integration tests passes. > > However, I have reverted the changes to the Sling API to eliminate the need > to depend on a later version of the API. > Also there was a license header missing, added in. > > Other than that LGTM, > I will go and find the doc and update that as well. > >> Node.infinity.json contains risk for DOS. >> - >> >>Key: SLING-1308 >>URL: https://issues.apache.org/jira/browse/SLING-1308 >>Project: Sling >> Issue Type: Bug >> Components: Servlets >> Affects Versions: Servlets Get 2.0.8 >> Reporter: Simon Gaeremynck >> Assignee: Ian Boston >> Priority: Critical >>Attachments: jsonRenderer.diff, jsonRenderer.diff >> >> >> As it is now any user can do a node.infinity.json . >> If this happens on the root node in a repository with many items, it will >> cause the server to slow down (eventually crash?) >> I've created a patch confirming the discussion @ >> http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. >
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803510#action_12803510 ] Ian Boston commented on SLING-1308: --- Patch applies ok and the integration tests passes. However, I have reverted the changes to the Sling API to eliminate the need to depend on a later version of the API. Also there was a license header missing, added in. Other than that LGTM, I will go and find the doc and update that as well. > Node.infinity.json contains risk for DOS. > - > > Key: SLING-1308 > URL: https://issues.apache.org/jira/browse/SLING-1308 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.0.8 >Reporter: Simon Gaeremynck >Assignee: Ian Boston >Priority: Critical > Attachments: jsonRenderer.diff, jsonRenderer.diff > > > As it is now any user can do a node.infinity.json . > If this happens on the root node in a repository with many items, it will > cause the server to slow down (eventually crash?) > I've created a patch confirming the discussion @ > http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803250#action_12803250 ] Simon Gaeremynck commented on SLING-1308: - Yes, I removed the Location header as you said in your last mail in the thread. The bug must have crept in when I removed the response.setHeader line. Serves me right for not testing it again. > Node.infinity.json contains risk for DOS. > - > > Key: SLING-1308 > URL: https://issues.apache.org/jira/browse/SLING-1308 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.0.8 >Reporter: Simon Gaeremynck >Priority: Critical > Attachments: jsonRenderer.diff > > > As it is now any user can do a node.infinity.json . > If this happens on the root node in a repository with many items, it will > cause the server to slow down (eventually crash?) > I've created a patch confirming the discussion @ > http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
[
https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803248#action_12803248
]
Alexander Klimetschek commented on SLING-1308:
--
Just to clarify: this patch does not set the Location header (AFAICS), but
simply returns the possible URLs like /.1.json, /.2.json, etc. up until the
maximum depth that returns a number of nodes below the configurable limit.
But there seems to be a bug in the latest patch: allowedLevel should be
decremented in the loop, otherwise it seems endless:
+while (allowedLevel >= 0) {
+ writer.value(r.getPath() + "." + tidyUrl + allowedLevel +
".json");
+}
> Node.infinity.json contains risk for DOS.
> -
>
> Key: SLING-1308
> URL: https://issues.apache.org/jira/browse/SLING-1308
> Project: Sling
> Issue Type: Bug
> Components: Servlets
>Affects Versions: Servlets Get 2.0.8
>Reporter: Simon Gaeremynck
>Priority: Critical
> Attachments: jsonRenderer.diff
>
>
> As it is now any user can do a node.infinity.json .
> If this happens on the root node in a repository with many items, it will
> cause the server to slow down (eventually crash?)
> I've created a patch confirming the discussion @
> http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1308) Node.infinity.json contains risk for DOS.
[ https://issues.apache.org/jira/browse/SLING-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803233#action_12803233 ] Ian Boston commented on SLING-1308: --- Happy to apply this and fix the import orders, but I am going to wait a few hours just in case anyone wants to shout. > Node.infinity.json contains risk for DOS. > - > > Key: SLING-1308 > URL: https://issues.apache.org/jira/browse/SLING-1308 > Project: Sling > Issue Type: Bug > Components: Servlets >Affects Versions: Servlets Get 2.0.8 >Reporter: Simon Gaeremynck >Priority: Critical > Attachments: jsonRenderer.diff > > > As it is now any user can do a node.infinity.json . > If this happens on the root node in a repository with many items, it will > cause the server to slow down (eventually crash?) > I've created a patch confirming the discussion @ > http://markmail.org/search/?q=node.infinity#query:node.infinity+page:1+mid:ugqjyqdz2trfpdkr+state:results -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
