[
https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229356#comment-13229356
]
Sergey Beryozkin commented on CXF-4172:
---------------------------------------
A number of new contextual properties has been introduced to limit the depth of
the incoming XML or JSON payloads (processed with the help of JAXB) and form
payloads.
XML and JSON:
"depthTotalElementCountThreshold" - restricts the total number of elements in a
given payload.
"depthInnerElementCountThreshold" - restricts the total number of child
elements for a given element.
"depthInnerElementLevelThreshold" - restricts the stack depth starting from a
given element (root by default).
These properties can be enforced in a number of ways. The simplest option is to
enable them on individual JAX-RS endpoints. Alternatively, default CXF JAX-RS
JAXBElementProvider and JSONProvider can have a 'depthProperties' set
(http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java).
Finally they can instead depend on DepthRestrictingStreamInterceptor
(http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java)
configured and added to the inbound chain.
Source and DOM Document providers will depend on
DepthRestrictingStreamInterceptor.
More sophisticated properties can be introduced in the future.
Form:
"maxFormParameterCount" - restricts the number of form name-value pairs.
Note that the Servlet containers may also need to restrict the number of form
parameters:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%[email protected]%3E
The clients will get HTTP 413 back whenever one of the above contextual
properties can not be enforced.
*Note*: other optional XML or JSON providers may need the related third-party
library enhanced to enforce the depth of the incoming payloads.
> Default JAX-RS JAXB, JSON and Form providers are open to the hash collision
> attacks
> -----------------------------------------------------------------------------------
>
> Key: CXF-4172
> URL: https://issues.apache.org/jira/browse/CXF-4172
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> JAXB based and Form providers using the Maps internally are open to the hash
> collision attacks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
