jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Edgar Poce (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-464) Prevent out of memory errors
Date Fri, 16 Jun 2006 13:58:30 GMT
    [ http://issues.apache.org/jira/browse/JCR-464?page=comments#action_12416496 ] 

Edgar Poce commented on JCR-464:
--------------------------------

sure, but an anonymous session can write and make use of the transient space, IMHO it yields
a security issue.

 e.g. if the CRX demo used the same approach than jackrabbit an anonymous user could connect
to the demo and create nodes and properties without saving until the jvm runs out of memory.

code example to kill the process:

        RepositoryConfig c = RepositoryConfig.create(
                "/temp/jackrabbit/repository.xml", "/temp/jackrabbit");
        Repository r = RepositoryImpl.create(c);
        Session s = r.login();
        for (int i = 0; i < 1000000; i++) {
            Node n = s.getRootNode().addNode("node" + i);
            n.setProperty("property" + i, "property" + i);
        }
  

> Prevent out of memory errors
> ----------------------------
>
>          Key: JCR-464
>          URL: http://issues.apache.org/jira/browse/JCR-464
>      Project: Jackrabbit
>         Type: Improvement

>   Components: core
>     Reporter: Edgar Poce
>     Priority: Minor

>
> Even an anonymous session can kill the jvm, any session can perform write actions untill
it kills the process by causing an outofmemoryexception. 
> I think it would be good to add a configuration parameter to specify the max size of
the transient ISMs and the max number of sessions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message