[
https://issues.apache.org/jira/browse/MESOS-7689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16080023#comment-16080023
]
Alexander Rukletsov commented on MESOS-7689:
--------------------------------------------
{noformat}
Commit: 1da4e45b8077b9046bba1a7ed15be5e344a14a91 [1da4e45]
Author: Alexander Rukletsov <[email protected]>
Date: 4 July 2017 at 15:24:17 GMT+2
Commit Date: 10 July 2017 at 09:33:00 GMT+2
Rejected libprocess HTTP requests with empty path.
Without this patch, a malicious actor can crash libprocess-based
components by sending a libprocess HTTP message with empty path.
For robustness, we check for malformed HTTP requests in both
handle() and parse() routines in libprocess, because there is
no guarantee that parse() will always get a validated request.
A better approach would be to introduce an explicit HTTP request
validation stage, for both libprocess and common HTTP messages.
{noformat}
> Libprocess can crash on malformed request paths for libprocess messages.
> ------------------------------------------------------------------------
>
> Key: MESOS-7689
> URL: https://issues.apache.org/jira/browse/MESOS-7689
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Reporter: Benjamin Mahler
> Assignee: Benjamin Mahler
> Fix For: 1.2.2, 1.3.1, 1.4.0, 1.1.3
>
>
> The following code will crash when there is a libprocess message and the path
> cannot be decoded:
> https://github.com/apache/mesos/blob/1.3.0/3rdparty/libprocess/src/process.cpp#L798-L800
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
