[jira] [Comment Edited] (THRIFT-1310) Generate PHP client code not check sequence ID in messages

Mon, 26 Sep 2016 11:31:09 -0700 

    [ 
https://issues.apache.org/jira/browse/THRIFT-1310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15523824#comment-15523824
 ] 

James E. King, III edited comment on THRIFT-1310 at 9/26/16 6:29 PM:
---------------------------------------------------------------------

It sounds like the issue is in the server side.  If a client can disconnect, 
reconnect, and get a response from a previous connection that is a major 
security issue, because then any other client that connects (not necessarily 
the one that "re"connects) could get data that doesn't belong to it.  This 
should not be cheched on the client with seqId matching... this is a 
server-side defect and a high priority, security issue.  Disconnecting should 
ensure that any outstanding requests at the time of disconnect are either 
canceled or run to completion however their response should never be accessible 
because the client that started them has disconnected.


was (Author: jking3):
It sounds like the issue is in the server side.  If a client can disconnect, 
reconnect, and get a response from a previous connection that is a major 
security issue, because then any other client that connects (not necessarily 
the one that "re"connects) could get data that doesn't belong to it.  This 
should not be cheched on the client with seqId matching... this is a 
server-side defect and a high priority, security issue.

> Generate PHP client code not check sequence ID in messages
> ----------------------------------------------------------
>
>                 Key: THRIFT-1310
>                 URL: https://issues.apache.org/jira/browse/THRIFT-1310
>             Project: Thrift
>          Issue Type: Bug
>          Components: PHP - Library
>    Affects Versions: 0.7
>            Reporter: Fang Jian
>            Priority: Critical
>              Labels: security-issue
>         Attachments: t_php_generator.patch
>
>
> The PHP client code not check sequence ID in messages, when client connect 
> timeout, the return of results are out of sequence. I try to fix this by 
> throwing a exception when sequence ID not equal. Patch file is listed below.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to