Hello,
Testing my QuotaListener I have found a bug that showed a security weakness.
For a put method, to test if the request can be done (will the quota be
exceeded ?), I rely on the "contentLength" parameter of the HTTP request.
To update quota MD when the request is done I use the resource MD
(DAV:getcontentlength).
I have made tests using many DAV clients and for one of them (based on
the Slide client library) I could exceed quotas with a put method.
Bad luck :-( I thought I had finished...
I have discovered that the HTTP contentLength parameter was -1 for this
request.
What happens :
> before the put
quota-available-bytes = 2000
quota-used-bytes = 1980
> when the request is done (with a file of 400B but HTTP content
length=-1) :
quota-available-bytes = 2000
quota-used-bytes = 2380 !!!
Only one put request can exceed quotas but it is one too many !
So I wonder if there could be a bug in the client library and if there
is a second solution to get the content length before doing the put
method. If I could go beyond quota limits by accident, somebody else
could do it intentionally.
I thought that the server could throw an event every X bytes put on the
server for a put method so that we can detect "hacking" ?
Thank you for your help.
Thomas
--
+---=( Thomas Bellembois )=---+
| CRI - University of Rennes 1 - FR |
| [EMAIL PROTECTED] |
| +33 2 23 23 69 60 |
+-----------------------------------+
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
