please add this issue to jira
Thanks
Boris
On 22.11.2005, at 18:31, (Adam Cooper) wrote:
Magnolians/Developers,
Is there a way to lock down the type of extensions allowed for html
requests? I have been seeing several shotgun type DOS attempts
against my Magnolia/Tomcat server to pages with a "/" after them.
Magnolia seems to serve them up OK to a point but after a good
pounding the attack manages to causes the JVM Heap to blow (already in
the works of making more JVM memory available to Magnolia).
Basically, what I want to do is force the requests for html pages to
only have an extension of .html. As of now you can get a page to come
back with ..../index.htm or ...../index.blahblahblah and also what I
am seeing in my log is for something like ...../index.html/ You can
even just do ..../index and it will work. I realize that these are
logically servlets and this is probably acceptable behavior but one of
the major selling points of Magnolia is that pages appear as static
HTML to the end user. Being able to fudge with the extension is a
pretty huge clue that more is going on than just html pages..
Here is an example of what is happening:
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:16 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:16 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:16 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:17 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:17 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:17 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:17 Cannot find
MIME typ
e for extension "html/"
INFO info.magnolia.cms.beans.config.MIMEMapping
MIMEMapping.java(getMIMEType:163) 22.11.2005 00:45:21 Cannot find
MIME typ
e for extension "html/"
And a whole ton more.....
Any recommendations? I tried adding html/ to the MIME mappings and
this removes the errors (and hopefully whatever caching problems that
caused the heap to blow) but it seems like a kludge to me. I would
rather the user get a nice fat 404 when they are trying to be a
smartass.
Any help at all would be greatly appreciated. Its been a rough
morning :)
--
Adam Cooper
----------------------------------------------------------------
for list details see
http://www.magnolia.info/en/magnolia/developer.html
----------------------------------------------------------------
----------------------------------------------------------------
for list details see
http://www.magnolia.info/en/magnolia/developer.html
----------------------------------------------------------------
