jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dominique Pfister (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OAK-1633) Drop custom HTTP code in oak-mk-remote
Date Mon, 07 Apr 2014 16:10:18 GMT

    [ https://issues.apache.org/jira/browse/OAK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961964#comment-13961964
] 

Dominique Pfister commented on OAK-1633:
----------------------------------------

bq. Other things that come to mind right away are denial-of-service attacks, triggered by
a client that would keep opening new connections but never close them or by another one that
posts a multi-gigabyte request to cause an OOME.

Both of these things are very easy to fix.

bq. Such cases and many others that we're certain to miss would be easy to fix by relying
on widely used and actively maintained code instead of writing something on our own.

I don't think there is a component immune to *every* form of DOS attacks. The HTTP code in
oak-mk-remote is very tiny and serves some well-defined purpose, so after having fixed the
obvious flaws, I don't see a compelling reason to drop it.

> Drop custom HTTP code in oak-mk-remote
> --------------------------------------
>
>                 Key: OAK-1633
>                 URL: https://issues.apache.org/jira/browse/OAK-1633
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: mk
>            Reporter: Jukka Zitting
>            Priority: Critical
>
> The custom HTTP code in oak-mk-remote has subtle security flaws and should be dropped
in favor of standard servlet interfaces or something like Apache HttpComponents.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message