I think that version 2.3 is also 'vulnerable'. The readLine() method in org.apache.james.util.CRLFTerminatedReader does not check for a maximum number of characters read and this results constanty growing linebuffer. It should be possible to specify a maxmimum size in CRLFTerminatedReader and if this size exceeds the maximum size it should stop reading in more data.
A possible workaround, until a fix is ready, would be to set the watchdog timeout to a lower value (I think the default value is 5 min). This will hopefully stop the 'injection' before running out of memory. Martijn Brinkers > -----Original Message----- > From: Noel J. Bergman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 14, 2006 21:38 > To: James Users List > Subject: RE: Vunerability? > > Jason Clark wrote: > > > I tested this on our 2.2 installation, and it did indeed cause > > the server's cpu to spike to %100 utilization. > > Since you can reproduce it against your 22, would you please see if you > can > reproduce it against the current 2.3 beta? > > --- Noel > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
