ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-9198) Missing file results in infinite loop
Date Thu, 02 Feb 2017 21:36:51 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-9198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15850552#comment-15850552
] 

Jacques Le Roux commented on OFBIZ-9198:
----------------------------------------

Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds
{code}
2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet                |T| [[[stream(Domain:https://localhost)]
Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
[...]
2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet                |T| [[[stream(Domain:https://localhost)]
Request Done- total:4.066,since last([stream(Domain:ht...):4.066]]
{code}
But indeed it can be easily used with a massive DDOS. So this is a security issue and since
it's already disclosed I make it a subtask of OFBIZ-1525

Please Ingo note that in case of security issues the ASF has some logical recommendation that
we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html


Thanks

> Missing file results in infinite loop
> -------------------------------------
>
>                 Key: OFBIZ-9198
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9198
>             Project: OFBiz
>          Issue Type: Bug
>          Components: specialpurpose/ecommerce
>    Affects Versions: Release Branch 13.07, Trunk, Release Branch 15.12, Release Branch
16.11
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Critical
>         Attachments: errror.txt
>
>
> When accessing a file/image in ecommerce (only seo version) that is physically missing
or the dataresource attribute isPublic=="N" the request results in an infinite loop.
> Demo data: 
> <Content contentId="test" contentTypeId="DOCUMENT" dataResourceId="test" statusId="CTNT_PUBLISHED"/>
> <DataResource dataResourceId="test" dataResourceTypeId="LOCAL_FILE" dataTemplateTypeId="NONE"
statusId="CTNT_PUBLISHED" dataResourceName="Test Image" objectInfo="PATH TO FILE" isPublic="N"
 />
> <Content contentId="testurl" contentTypeId="DOCUMENT" dataResourceId="testurl" statusId="CTNT_PUBLISHED"/>
> <DataResource dataResourceId="testurl" dataResourceTypeId="URL_RESOURCE" dataTemplateTypeId="NONE"
statusId="CTNT_PUBLISHED" objectInfo="/testbild-content" isPublic="N"/>
> <ContentAssoc contentId="test" contentIdTo="testurl" contentAssocTypeId="ALTERNATE_URL"
fromDate="2006-09-22 00:00:00.0"/>
> Call:
> /ecomseo/testbild-content
> /ecomseo/stream?contentId=test
> I found that because I had server problems (server down), so it is quite easy to kill
the server by streaming a not existing contentId via via the ecomseo app.
> /ecomseo/stream?contentId=test1



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message