[ https://issues.apache.org/jira/browse/OFBIZ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15850552#comment-15850552 ]
Jacques Le Roux edited comment on OFBIZ-9198 at 2/2/17 9:41 PM: ---------------------------------------------------------------- Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds {code} 2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] [...] 2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since last([stream(Domain:ht...):4.066]] {code} But indeed it can be easily used with a massive DDOS. So this is a security issue and since it's already disclosed I make it a subtask of OFBIZ-1525 Please Ingo note that in case of security issues the ASF has some logical recommendations that we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html Thanks was (Author: jacques.le.roux): Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds {code} 2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] [...] 2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since last([stream(Domain:ht...):4.066]] {code} But indeed it can be easily used with a massive DDOS. So this is a security issue and since it's already disclosed I make it a subtask of OFBIZ-1525 Please Ingo note that in case of security issues the ASF has some logical recommendation that we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html Thanks > Missing file results in infinite loop > ------------------------------------- > > Key: OFBIZ-9198 > URL: https://issues.apache.org/jira/browse/OFBIZ-9198 > Project: OFBiz > Issue Type: Sub-task > Components: specialpurpose/ecommerce > Affects Versions: Release Branch 13.07, Trunk, Release Branch 15.12, > Release Branch 16.11 > Reporter: Ingo Wolfmayr > Assignee: Jacques Le Roux > Priority: Critical > Attachments: errror.txt > > > When accessing a file/image in ecommerce (only seo version) that is > physically missing or the dataresource attribute isPublic=="N" the request > results in an infinite loop. > Demo data: > <Content contentId="test" contentTypeId="DOCUMENT" dataResourceId="test" > statusId="CTNT_PUBLISHED"/> > <DataResource dataResourceId="test" dataResourceTypeId="LOCAL_FILE" > dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" dataResourceName="Test > Image" objectInfo="PATH TO FILE" isPublic="N" /> > <Content contentId="testurl" contentTypeId="DOCUMENT" > dataResourceId="testurl" statusId="CTNT_PUBLISHED"/> > <DataResource dataResourceId="testurl" dataResourceTypeId="URL_RESOURCE" > dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" > objectInfo="/testbild-content" isPublic="N"/> > <ContentAssoc contentId="test" contentIdTo="testurl" > contentAssocTypeId="ALTERNATE_URL" fromDate="2006-09-22 00:00:00.0"/> > Call: > /ecomseo/testbild-content > /ecomseo/stream?contentId=test > I found that because I had server problems (server down), so it is quite easy > to kill the server by streaming a not existing contentId via via the ecomseo > app. > /ecomseo/stream?contentId=test1 -- This message was sent by Atlassian JIRA (v6.3.15#6346)