[jira] [Issue Comment Edited] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children

Mon, 05 Dec 2011 13:47:02 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163073#comment-13163073
 ] 

Jeff Young edited comment on SLING-2320 at 12/5/11 9:45 PM:
------------------------------------------------------------

Yeah, I was also somewhat concerned by the fact that 
ResourceTraversor.getParentJSONObject() will throw two exceptions *for every 
node traversed*.  (The first is thrown because the leading "/" isn't trimmed 
off of pathDiff, yielding an empty path segment, and the second because the 
last path looked for is self, which of course doesn't exist yet.)

But I didn't want to extend my remit beyond what I had been granted permission 
to fix....
                
      was (Author: jeyjey):
    Yeah, I was also somewhat concerned by the fact that 
ResourceTraversor.getParentJSONObject() will throw two exceptions *for every 
node traversed*.  (The first is thrown because the leading "/" isn't trimmed 
off of pathDiff, yielding an empty path segment, and the second because the 
last path looked for is self, which of course doesn't exist yet.

But I didn't want to extend my remit beyond what I had been granted permission 
to fix....
                  
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
>                 Key: SLING-2320
>                 URL: https://issues.apache.org/jira/browse/SLING-2320
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>    Affects Versions: Servlets Get 2.1.0
>            Reporter: Jeff Young
>            Assignee: Felix Meschberger
>              Labels: newbie, patch
>         Attachments: jsonRenderer.diff
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary 
> method for JSON introspection of the repository hierarchy.  DOS protection 
> should only apply to "deep" traversals; that is, anything with a depth 
> greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: 
> http://www.mail-archive.com/[email protected]/msg13961.html.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to