Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 94E32B112 for ; Thu, 12 Jan 2012 20:35:02 +0000 (UTC) Received: (qmail 36583 invoked by uid 500); 12 Jan 2012 20:35:02 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 36032 invoked by uid 500); 12 Jan 2012 20:35:01 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 36020 invoked by uid 99); 12 Jan 2012 20:35:00 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jan 2012 20:35:00 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jan 2012 20:34:59 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id B62A9148EE9 for ; Thu, 12 Jan 2012 20:34:39 +0000 (UTC) Date: Thu, 12 Jan 2012 20:34:39 +0000 (UTC) From: "Sebb (Commented) (JIRA)" To: dev@hc.apache.org Message-ID: <1066805054.35844.1326400479747.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <14100643.32235.1324411410866.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (HTTPCLIENT-1153) org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185211#comment-13185211 ] Sebb commented on HTTPCLIENT-1153: ---------------------------------- Do we need to be careful to avoid the recently announced hashtable collision DoS vulnerability which can arise from the Java hashtable implementation [1] ? AIUI, the issue is that by carefully chosen input, an attacker can deliberately cause hash collisions; in turn these cause extra CPU to be used. [1] http://www.nruns.com/_downloads/advisory28122011.pdf > org.apache.http.impl.client.cache.memcached.MemcachedHttpCacheStorage uses URL as cache key - shouldn't. > -------------------------------------------------------------------------------------------------------- > > Key: HTTPCLIENT-1153 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1153 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Affects Versions: 4.1.1, 4.1.2 > Reporter: Clinton Nielsen > Assignee: Jon Moore > Fix For: 4.1.3, 4.2 Alpha2 > > > Spy memcached has 250 defined as max key length: > http://dustin.github.com/java-memcached-client/apidocs/constant-values.html#net.spy.memcached.MemcachedClientIF.MAX_KEY_LENGTH > URLs can be (and often are) much longer than 250 characters. > URLs should be hashed before being used as keys. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org