[jira] [Commented] (HTTPCLIENT-1153) org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.

Jon Moore (Commented) (JIRA) Thu, 12 Jan 2012 12:49:04 -0800

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185226#comment-13185226
 ]


Jon Moore commented on HTTPCLIENT-1153:
---------------------------------------

@Sebb: I don't think this applies to us, as we're not using a HashMap. Rather, 
I'm applying a hash function to map one set of values (the URLs the caching 
layer uses as cache keys) to another set of values (keys short enough to fit in 
the 250-byte constraint). The actual data structure (if any) that might be 
affected here would be in memcached. However, I'm planning on using a 
cryptographic hash algorithm, so it's unlikely to be subject to the types of 
the attacks described in the vulnerability (e.g. the very simple hash functions 
commonly used for Object#hashCode()).
                
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses 
> URL as cache key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1153
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.1.1, 4.1.2
>            Reporter: Clinton Nielsen
>            Assignee: Jon Moore
>             Fix For: 4.1.3, 4.2 Alpha2
>
>
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HTTPCLIENT-1153) org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.

Reply via email to