[
https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Wintle updated SHINDIG-662:
-------------------------------
Attachment: fix_662_bug_2.patch
Previous patch had incorrect variable name
> Check protocol for proxy requests
> ---------------------------------
>
> Key: SHINDIG-662
> URL: https://issues.apache.org/jira/browse/SHINDIG-662
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (PHP)
> Environment: Multiple *nix
> Reporter: Tim Wintle
> Attachments: fix_662_bug_2.patch
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]"
> successfully tied up the server for 30 seconds of cpu time.
> (The request was not passed back to the client, but this bug opens up a
> possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or
> ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
