[
https://issues.apache.org/jira/browse/THRIFT-1310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15523824#comment-15523824
]
James E. King, III edited comment on THRIFT-1310 at 9/26/16 6:33 PM:
---------------------------------------------------------------------
It sounds like the issue is in the server side. If a client can disconnect,
reconnect, and get a response from a previous connection that is a major
security issue, because then any other client that connects (not necessarily
the one that "re"connects) could get data that doesn't belong to it. This
should not be cheched on the client with seqId matching... this is a
server-side defect and a high priority, security issue. Disconnecting should
ensure that any outstanding requests at the time of disconnect are either
canceled or run to completion however their response should never be accessible
because the client that started them has disconnected.
Most servers only support one concurrent request per client. I haven't looked
at the PHP library yet so I don't know, but for servers that support multiple
requests from a client connection to be running simultaneously, the seqId is
used to allow the client to match a response to a reply. Still, that should
only be valid on a single connection.
was (Author: jking3):
It sounds like the issue is in the server side. If a client can disconnect,
reconnect, and get a response from a previous connection that is a major
security issue, because then any other client that connects (not necessarily
the one that "re"connects) could get data that doesn't belong to it. This
should not be cheched on the client with seqId matching... this is a
server-side defect and a high priority, security issue. Disconnecting should
ensure that any outstanding requests at the time of disconnect are either
canceled or run to completion however their response should never be accessible
because the client that started them has disconnected.
> Generate PHP client code not check sequence ID in messages
> ----------------------------------------------------------
>
> Key: THRIFT-1310
> URL: https://issues.apache.org/jira/browse/THRIFT-1310
> Project: Thrift
> Issue Type: Bug
> Components: PHP - Library
> Affects Versions: 0.7
> Reporter: Fang Jian
> Priority: Critical
> Labels: security-issue
> Attachments: t_php_generator.patch
>
>
> The PHP client code not check sequence ID in messages, when client connect
> timeout, the return of results are out of sequence. I try to fix this by
> throwing a exception when sequence ID not equal. Patch file is listed below.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
