hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jon Moore (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1153) org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't.
Date Thu, 12 Jan 2012 20:48:40 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185226#comment-13185226

Jon Moore commented on HTTPCLIENT-1153:

@Sebb: I don't think this applies to us, as we're not using a HashMap. Rather, I'm applying
a hash function to map one set of values (the URLs the caching layer uses as cache keys) to
another set of values (keys short enough to fit in the 250-byte constraint). The actual data
structure (if any) that might be affected here would be in memcached. However, I'm planning
on using a cryptographic hash algorithm, so it's unlikely to be subject to the types of the
attacks described in the vulnerability (e.g. the very simple hash functions commonly used
for Object#hashCode()).
> org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache
key - shouldn't.
> --------------------------------------------------------------------------------------------------------
>                 Key: HTTPCLIENT-1153
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.1.1, 4.1.2
>            Reporter: Clinton Nielsen
>            Assignee: Jon Moore
>             Fix For: 4.1.3, 4.2 Alpha2
> Spy memcached has 250 defined as max key length:
> http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH
> URLs can be (and often are) much longer than 250 characters.
> URLs should be hashed before being used as keys.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message