[
https://issues.apache.org/jira/browse/SHINDIG-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Chabot resolved SHINDIG-662.
----------------------------------
Resolution: Fixed
Assignee: Chris Chabot
I did change the patch slightly to raise exceptions instead of setting the url
to "" on an invalid protocol (more consistent with the rest of the project) but
other then that it looks good to me.
Fix's been committed, thanks for the patch!
> Check protocol for proxy requests
> ---------------------------------
>
> Key: SHINDIG-662
> URL: https://issues.apache.org/jira/browse/SHINDIG-662
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (PHP)
> Environment: Multiple *nix
> Reporter: Tim Wintle
> Assignee: Chris Chabot
> Attachments: fix_662_bug_2.patch
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> ProxyHandler does not check the protocol of requests.
> -> On our development servers, a request to proxy "file://[some big logfile]"
> successfully tied up the server for 30 seconds of cpu time.
> (The request was not passed back to the client, but this bug opens up a
> possibility for dos attack)
> Patch submitted simply checks that the requested url includes http, https or
> ftp protocols if a protocol is specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
