Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 785E7200B71 for ; Wed, 17 Aug 2016 01:47:18 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 77043160ABA; Tue, 16 Aug 2016 23:47:18 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id BDA50160AA8 for ; Wed, 17 Aug 2016 01:47:17 +0200 (CEST) Received: (qmail 58386 invoked by uid 500); 16 Aug 2016 23:47:17 -0000 Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@chemistry.apache.org Delivered-To: mailing list dev@chemistry.apache.org Received: (qmail 58368 invoked by uid 99); 16 Aug 2016 23:47:16 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Aug 2016 23:47:16 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 21244180842 for ; Tue, 16 Aug 2016 23:47:16 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.701 X-Spam-Level: X-Spam-Status: No, score=-0.701 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=emrul-com.20150623.gappssmtp.com Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id fG2esLIOt2q9 for ; Tue, 16 Aug 2016 23:47:15 +0000 (UTC) Received: from mail-io0-f181.google.com (mail-io0-f181.google.com [209.85.223.181]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 389005FBB5 for ; Tue, 16 Aug 2016 23:47:15 +0000 (UTC) Received: by mail-io0-f181.google.com with SMTP id m101so122190884ioi.2 for ; Tue, 16 Aug 2016 16:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emrul-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=WaMZcanXpcaJDHWP4i5VOMWFJp+79B+qlV8K/LYMQ6g=; b=KAfNHGrLnB3metNrC2Ji3WivHQNyjdi3Ev2aL7MSQP8ULCrpL4z4ALkxnWFTz7Y9hM oL+Mh/zn4r4Xbv+NUUXoQA11UOU18SnoNhsVzAmgFyHgDctEF0eyr4p2asjXdiIHV5Jq 98+Da0Dlos004xvRNiTu5C7vH/8hW7eWVlanLhVrXHB7wGf6ML9IweZ2aBKhSAfJSqRQ Zdy4AJVHV+5smzi65MBOAGn2mRi9m+2mvWUx0fTgnh9acwoqH6BrEg/2z5RC5P9k2qRo z3KYMgHAsJEZvIootDLMiAiqb2Z2Pi3vVBCue86P1rc9vmiQ0eMhDTkec8wKBO2Sk7mo Yc9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WaMZcanXpcaJDHWP4i5VOMWFJp+79B+qlV8K/LYMQ6g=; b=iQyQQjdlWHJuOAT/FRSBUowm6uew3MiE9yvHrXIIkDVIYALhu02i6RZ3hWd0TyaJAQ 1VzBUmKjDy6/WgRvTauHJqHWU57zeQZ12FREKclQcXn/vdbCm2S3pPEXc1nN2chUQD8b 1Ha5Y4WiuWITGDftJih5D8MnlLPOPu9WZ8FVcHfHdWfiL8d73XXHc48KlASfY6Eq53W6 ejSqcS4j9dc035K9gmMWL5ZRO4h8oAqUELQl06NvcELUXoWqszX6XCYKjZD6bAKkYpLf lB/WrzBRG9OMvaNut+86vwzqw/zbY85VbD0oiUy+HuMKePAXJXDfLInMCLEsO2rySd29 e2Aw== X-Gm-Message-State: AEkoousvPC4mdGrbWa2ddHpga9NSveQdT3s+3h7z1Rhi2AjHdSIq4pB+5/1YaXVHWXD3mS0Waq7SneEo43fVjA== X-Received: by 10.107.7.94 with SMTP id 91mr50307320ioh.43.1471391234592; Tue, 16 Aug 2016 16:47:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.134.135 with HTTP; Tue, 16 Aug 2016 16:46:53 -0700 (PDT) From: Emrul Islam Date: Wed, 17 Aug 2016 00:46:53 +0100 Message-ID: Subject: Security related question To: dev@chemistry.apache.org Content-Type: text/plain; charset=UTF-8 archived-at: Tue, 16 Aug 2016 23:47:18 -0000 Whilst working on a CMIS server implementation I happened to be examining the CmisBrowserBindingServlet class and noticed that for HTTP POST requests POSTHttpServletRequestWrapper is instantiated before any authentication checks are carried out (e.g. before getCallContextHandler() is invoked where a TokenHandler can check the request). POSTHttpServletRequestWrapper appears to process multi-part requests as soon as it is created, getting an output stream to store data. Unless I am mistaken (and forgive me if I am), it is conceivable that this approach is vulnerable to Denial of Service attacks: you can send a bunch of POST requests with multi-part data to the server that will cause it to allocate memory (if less than memory threshold) and or temp file space (if greater than memory threshold) and exhaust system resources. I would suggest that authentication should be checked before processing multi-part requests in keeping with best practices (e.g. rejecting unauthenticated requests as soon as possible).