chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emrul Islam <em...@emrul.com>
Subject Security related question
Date Tue, 16 Aug 2016 23:46:53 GMT
Whilst working on a CMIS server implementation I happened to be
examining the CmisBrowserBindingServlet class and noticed that for
HTTP POST requests POSTHttpServletRequestWrapper is instantiated
before any authentication checks are carried out (e.g. before
getCallContextHandler() is invoked where a TokenHandler can check the
request).

POSTHttpServletRequestWrapper appears to process multi-part requests
as soon as it is created, getting an output stream to store data.

Unless I am mistaken (and forgive me if I am), it is conceivable that
this approach is vulnerable to Denial of Service attacks: you can send
a bunch of POST requests with multi-part data to the server that will
cause it to allocate memory (if less than memory threshold) and or
temp file space (if greater than memory threshold) and exhaust system
resources.

I would suggest that authentication should be checked before
processing multi-part requests in keeping with best practices (e.g.
rejecting unauthenticated requests as soon as possible).

Mime
View raw message