[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831643#comment-13831643 ] Matt Gillooly commented on THRIFT-2145: --- +1 Nick and Andrew. I've got a gem which requires thrift. We had added rack and thin as dependencies of that gem to get around this issue. We now wish to use that gem in a JRuby environment, where thin is not available, so I'm forced to either fork the thrift gem or add a dummy thin.rb to my gem. Neither of these seem reasonable, when there is a simple fix in the attached patch above. Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Created] (THRIFT-2272) CLONE - Denial of Service attack in TBinaryProtocol.readString
Valentin Mayamsin created THRIFT-2272: - Summary: CLONE - Denial of Service attack in TBinaryProtocol.readString Key: THRIFT-2272 URL: https://issues.apache.org/jira/browse/THRIFT-2272 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.6.1, 0.8 Environment: All Reporter: Valentin Mayamsin Assignee: Niraj Tolia Priority: Critical Fix For: 0.9 Attachments: 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2272) CLONE - Denial of Service attack in TBinaryProtocol.readString
[ https://issues.apache.org/jira/browse/THRIFT-2272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831672#comment-13831672 ] Valentin Mayamsin commented on THRIFT-2272: --- The issue is still there, in TBinaryProtocol in particular. The Attack.java still produces java.lang.OutOfMemoryError CLONE - Denial of Service attack in TBinaryProtocol.readString -- Key: THRIFT-2272 URL: https://issues.apache.org/jira/browse/THRIFT-2272 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.6.1, 0.8 Environment: All Reporter: Valentin Mayamsin Assignee: Niraj Tolia Priority: Critical Labels: security Fix For: 0.9 Attachments: 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift Original Estimate: 24h Remaining Estimate: 24h In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831683#comment-13831683 ] Andrew Bloomgarden commented on THRIFT-2145: That would probably work, but I don't think it's necessary. I don't think it's asking too much of people who need a Thin-based server to require it themselves. Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831678#comment-13831678 ] Jake Farrell commented on THRIFT-2145: -- Instead of removing from thrift.rb we could check for thin with something like the following, thoughts? require 'thrift/server/thin_http_server' if defined?(Rack::Handler::Thin) Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831685#comment-13831685 ] Matt Gillooly commented on THRIFT-2145: --- I agree with Andrew. 0001-Require-thin-server-in-spec-that-uses-it.patch looks like a simple fix which has been sitting around for 3 months. Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Closed] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jake Farrell closed THRIFT-2145. Resolution: Fixed Fix Version/s: 0.9.2 committed 0001 patch Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Fix For: 0.9.2 Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831768#comment-13831768 ] Andrew Bloomgarden commented on THRIFT-2145: Thank you! Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Fix For: 0.9.2 Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831797#comment-13831797 ] Matt Gillooly commented on THRIFT-2145: --- Thanks! Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Fix For: 0.9.2 Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Closed] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jake Farrell closed THRIFT-2267. Resolution: Fixed Assignee: Abraham Elmahrek Committed, thanks for the patch Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Attachments: THRIFT-2267.0.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Closed] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jake Farrell closed THRIFT-2267. Resolution: Fixed Fix Version/s: 0.9.2 Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Fix For: 0.9.2 Attachments: THRIFT-2267.0.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2272) CLONE - Denial of Service attack in TBinaryProtocol.readString
[ https://issues.apache.org/jira/browse/THRIFT-2272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13832003#comment-13832003 ] Roger Meier commented on THRIFT-2272: - could you please rebase this to master? thanks -roger CLONE - Denial of Service attack in TBinaryProtocol.readString -- Key: THRIFT-2272 URL: https://issues.apache.org/jira/browse/THRIFT-2272 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.6.1, 0.8 Environment: All Reporter: Valentin Mayamsin Assignee: Niraj Tolia Priority: Critical Labels: security Fix For: 0.9 Attachments: 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift Original Estimate: 24h Remaining Estimate: 24h In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2272) CLONE - Denial of Service attack in TBinaryProtocol.readString
[ https://issues.apache.org/jira/browse/THRIFT-2272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13832007#comment-13832007 ] Niraj Tolia commented on THRIFT-2272: - [~roger.meier] Those patches seem to belong to me and are from a long time ago. They are neither the correct fix and will not apply to master either. As I mentioned [elsewhere|https://issues.apache.org/jira/browse/THRIFT-1643?focusedCommentId=13806973page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13806973], a separate and new fix is needed. I can probably contribute that but I am currently buried under other work and it will take some time. CLONE - Denial of Service attack in TBinaryProtocol.readString -- Key: THRIFT-2272 URL: https://issues.apache.org/jira/browse/THRIFT-2272 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.6.1, 0.8 Environment: All Reporter: Valentin Mayamsin Assignee: Niraj Tolia Priority: Critical Labels: security Fix For: 0.9 Attachments: 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift Original Estimate: 24h Remaining Estimate: 24h In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap. -- This message was sent by Atlassian JIRA (v6.1#6144)
Jenkins build is back to normal : Thrift-Compiler-Windows #955
See https://builds.apache.org/job/Thrift-Compiler-Windows/955/changes
[jira] [Commented] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13832096#comment-13832096 ] Hudson commented on THRIFT-2267: FAILURE: Integrated in Thrift #944 (See [https://builds.apache.org/job/Thrift/944/]) THRIFT-2267:Should be able to choose socket family in Python TSocket (jfarrell: rev 3979b869f3236b3a7e1c92b788eabced2a8345ed) * lib/py/src/transport/TSocket.py Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Fix For: 0.9.2 Attachments: THRIFT-2267.0.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2145) Rack and Thin are not just development dependencies
[ https://issues.apache.org/jira/browse/THRIFT-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13832095#comment-13832095 ] Hudson commented on THRIFT-2145: FAILURE: Integrated in Thrift #944 (See [https://builds.apache.org/job/Thrift/944/]) THRIFT-2145:Rack and Thin are not just development dependencies (jfarrell: rev cba92b308f894ef02b89c23ea6179faff6138772) * lib/rb/spec/thin_http_server_spec.rb * lib/rb/lib/thrift.rb * lib/rb/thrift.gemspec Rack and Thin are not just development dependencies --- Key: THRIFT-2145 URL: https://issues.apache.org/jira/browse/THRIFT-2145 Project: Thrift Issue Type: Bug Components: Ruby - Library Affects Versions: 0.9.1 Environment: Mac OS X and Linux, Ruby v1.9.3 Reporter: Keith Barrette Assignee: Jake Farrell Fix For: 0.9.2 Attachments: 0001-Require-thin-server-in-spec-that-uses-it.patch, thrift-0.9.1-rack-thin-dependency.patch The rack and thin gems should be specified as full dependencies, not just development dependencies. This is causing runtime errors when requiring thrift. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13832127#comment-13832127 ] Abraham Elmahrek commented on THRIFT-2267: -- Sorry, I made this mistake in my project, but didn't update this Jira. TSocket.py#L36 {code} socket.self._socket_family, {code} should be: {code} self._socket_family, {code} Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Fix For: 0.9.2 Attachments: THRIFT-2267.0.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Reopened] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abraham Elmahrek reopened THRIFT-2267: -- Attaching new diff. Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Fix For: 0.9.2 Attachments: THRIFT-2267.0.patch, THRIFT-2267.1.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abraham Elmahrek updated THRIFT-2267: - Attachment: THRIFT-2267.1.patch Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Fix For: 0.9.2 Attachments: THRIFT-2267.0.patch, THRIFT-2267.1.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Closed] (THRIFT-2267) Should be able to choose socket family in Python TSocket
[ https://issues.apache.org/jira/browse/THRIFT-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jake Farrell closed THRIFT-2267. Resolution: Fixed commit 8bdff94 Should be able to choose socket family in Python TSocket Key: THRIFT-2267 URL: https://issues.apache.org/jira/browse/THRIFT-2267 Project: Thrift Issue Type: Bug Components: Python - Library Affects Versions: 0.9.1 Reporter: Abraham Elmahrek Assignee: Abraham Elmahrek Fix For: 0.9.2 Attachments: THRIFT-2267.0.patch, THRIFT-2267.1.patch Currenlty, the python library looks for AF_INET6, but some applications prefer AF_INET4. This should be selectable or configurable. -- This message was sent by Atlassian JIRA (v6.1#6144)