chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emrul Islam <>
Subject Security related question
Date Tue, 16 Aug 2016 23:46:53 GMT
Whilst working on a CMIS server implementation I happened to be
examining the CmisBrowserBindingServlet class and noticed that for
HTTP POST requests POSTHttpServletRequestWrapper is instantiated
before any authentication checks are carried out (e.g. before
getCallContextHandler() is invoked where a TokenHandler can check the

POSTHttpServletRequestWrapper appears to process multi-part requests
as soon as it is created, getting an output stream to store data.

Unless I am mistaken (and forgive me if I am), it is conceivable that
this approach is vulnerable to Denial of Service attacks: you can send
a bunch of POST requests with multi-part data to the server that will
cause it to allocate memory (if less than memory threshold) and or
temp file space (if greater than memory threshold) and exhaust system

I would suggest that authentication should be checked before
processing multi-part requests in keeping with best practices (e.g.
rejecting unauthenticated requests as soon as possible).

View raw message