[jira] [Updated] (SLING-2320) Current DOS-prevention for infinity.json can prevent enumeration of children

Mon, 12 Dec 2011 10:30:01 -0800 

     [ 
https://issues.apache.org/jira/browse/SLING-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeff Young updated SLING-2320:
------------------------------

    Attachment: json_get_servlet_rewrite.patch

No worries, Justin.  I've got one more anyway ;)

Hopefully this is the final installment.
Rewrite of JSON GET servlet to:
a) not throw two exceptions per node finding the parent (in fact, we don't look 
for the parent at all anymore as the JSON rendering is now done via a 
second-pass, depth-first traversal rather than during the breadth-first 
depthCheck)
b) not serialize/de-serialize/re-serialize the JSON (also due to the above 
two-pass approach)
c) use ArrayLists instead of LinkedLists for breadth-first traversal (to reduce 
memory allocation calls)
d) not use exceptions for limiting depth
                
> Current DOS-prevention for infinity.json can prevent enumeration of children
> ----------------------------------------------------------------------------
>
>                 Key: SLING-2320
>                 URL: https://issues.apache.org/jira/browse/SLING-2320
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>    Affects Versions: Servlets Get 2.1.0
>            Reporter: Jeff Young
>            Assignee: Justin Edelson
>              Labels: newbie, patch
>             Fix For: Servlets Get 2.1.4
>
>         Attachments: jsonRenderer.diff, json_get_servlet_rewrite.patch, 
> servlet_tests.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> A request of resource.1.json should always succeed, as it's the primary 
> method for JSON introspection of the repository hierarchy.  DOS protection 
> should only apply to "deep" traversals; that is, anything with a depth 
> greater than 1 (and, in particular, resource.infinity.json).
> For a fuller discussion, see: 
> http://www.mail-archive.com/[email protected]/msg13961.html.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to