[
https://issues.apache.org/jira/browse/OAK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961964#comment-13961964
]
Dominique Pfister commented on OAK-1633:
----------------------------------------
bq. Other things that come to mind right away are denial-of-service attacks,
triggered by a client that would keep opening new connections but never close
them or by another one that posts a multi-gigabyte request to cause an OOME.
Both of these things are very easy to fix.
bq. Such cases and many others that we're certain to miss would be easy to fix
by relying on widely used and actively maintained code instead of writing
something on our own.
I don't think there is a component immune to *every* form of DOS attacks. The
HTTP code in oak-mk-remote is very tiny and serves some well-defined purpose,
so after having fixed the obvious flaws, I don't see a compelling reason to
drop it.
> Drop custom HTTP code in oak-mk-remote
> --------------------------------------
>
> Key: OAK-1633
> URL: https://issues.apache.org/jira/browse/OAK-1633
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: mk
> Reporter: Jukka Zitting
> Priority: Critical
>
> The custom HTTP code in oak-mk-remote has subtle security flaws and should be
> dropped in favor of standard servlet interfaces or something like Apache
> HttpComponents.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
