[
https://issues.apache.org/jira/browse/OFBIZ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15850552#comment-15850552
]
Jacques Le Roux edited comment on OFBIZ-9198 at 2/2/17 9:41 PM:
----------------------------------------------------------------
Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds
{code}
2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet
|T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]-
total:0.0,since last(Begin):0.0]]
[...]
2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet
|T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since
last([stream(Domain:ht...):4.066]]
{code}
But indeed it can be easily used with a massive DDOS. So this is a security
issue and since it's already disclosed I make it a subtask of OFBIZ-1525
Please Ingo note that in case of security issues the ASF has some logical
recommendations that we relay in the "Security Vulnerabilities" section at
http://ofbiz.apache.org/download.html
Thanks
was (Author: jacques.le.roux):
Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds
{code}
2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet
|T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]-
total:0.0,since last(Begin):0.0]]
[...]
2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet
|T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since
last([stream(Domain:ht...):4.066]]
{code}
But indeed it can be easily used with a massive DDOS. So this is a security
issue and since it's already disclosed I make it a subtask of OFBIZ-1525
Please Ingo note that in case of security issues the ASF has some logical
recommendation that we relay in the "Security Vulnerabilities" section at
http://ofbiz.apache.org/download.html
Thanks
> Missing file results in infinite loop
> -------------------------------------
>
> Key: OFBIZ-9198
> URL: https://issues.apache.org/jira/browse/OFBIZ-9198
> Project: OFBiz
> Issue Type: Sub-task
> Components: specialpurpose/ecommerce
> Affects Versions: Release Branch 13.07, Trunk, Release Branch 15.12,
> Release Branch 16.11
> Reporter: Ingo Wolfmayr
> Assignee: Jacques Le Roux
> Priority: Critical
> Attachments: errror.txt
>
>
> When accessing a file/image in ecommerce (only seo version) that is
> physically missing or the dataresource attribute isPublic=="N" the request
> results in an infinite loop.
> Demo data:
> <Content contentId="test" contentTypeId="DOCUMENT" dataResourceId="test"
> statusId="CTNT_PUBLISHED"/>
> <DataResource dataResourceId="test" dataResourceTypeId="LOCAL_FILE"
> dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" dataResourceName="Test
> Image" objectInfo="PATH TO FILE" isPublic="N" />
> <Content contentId="testurl" contentTypeId="DOCUMENT"
> dataResourceId="testurl" statusId="CTNT_PUBLISHED"/>
> <DataResource dataResourceId="testurl" dataResourceTypeId="URL_RESOURCE"
> dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED"
> objectInfo="/testbild-content" isPublic="N"/>
> <ContentAssoc contentId="test" contentIdTo="testurl"
> contentAssocTypeId="ALTERNATE_URL" fromDate="2006-09-22 00:00:00.0"/>
> Call:
> /ecomseo/testbild-content
> /ecomseo/stream?contentId=test
> I found that because I had server problems (server down), so it is quite easy
> to kill the server by streaming a not existing contentId via via the ecomseo
> app.
> /ecomseo/stream?contentId=test1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
