Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Release Branch 13.07, Trunk, Release Branch 15.12, Release Branch 16.11
    • Fix Version/s: Upcoming Release, 16.11.02
    • Component/s: ecommerce
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      When accessing a file/image in ecommerce (only seo version) that is physically missing or the dataresource attribute isPublic=="N" the request results in an a loop.

      Demo data:

      <Content contentId="test" contentTypeId="DOCUMENT" dataResourceId="test" statusId="CTNT_PUBLISHED"/>
      <DataResource dataResourceId="test" dataResourceTypeId="LOCAL_FILE" dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" dataResourceName="Test Image" objectInfo="PATH TO FILE" isPublic="N" />
      <Content contentId="testurl" contentTypeId="DOCUMENT" dataResourceId="testurl" statusId="CTNT_PUBLISHED"/>
      <DataResource dataResourceId="testurl" dataResourceTypeId="URL_RESOURCE" dataTemplateTypeId="NONE" statusId="CTNT_PUBLISHED" objectInfo="/testbild-content" isPublic="N"/>
      <ContentAssoc contentId="test" contentIdTo="testurl" contentAssocTypeId="ALTERNATE_URL" fromDate="2006-09-22 00:00:00.0"/>

      Call:
      /ecomseo/testbild-content
      /ecomseo/stream?contentId=test

      I found that because I had server problems (server down), so it is quite easy to kill the server by streaming a not existing contentId via via the ecomseo app.

      /ecomseo/stream?contentId=test1

      1. errror.txt
        287 kB
        Ingo Wolfmayr

        Activity

        Hide
        iwolf Ingo Wolfmayr added a comment -

        Part of the error message

        Show
        iwolf Ingo Wolfmayr added a comment - Part of the error message
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds

        2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet                |T| [[[stream(Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
        [...]
        2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet                |T| [[[stream(Domain:https://localhost)] Request Done- total:4.066,since last([stream(Domain:ht...):4.066]]
        

        But indeed it can be easily used with a massive DDOS. So this is a security issue and since it's already disclosed I make it a subtask of OFBIZ-1525

        Please Ingo note that in case of security issues the ASF has some logical recommendations that we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html

        Thanks

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited Ouch! It's not exactly an infinite loop. Here it tooks 4+ seconds 2017-02-02 22:29:18,344 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https: //localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] [...] 2017-02-02 22:29:22,410 |http-nio-8443-exec-8 |ControlServlet |T| [[[stream(Domain:https: //localhost)] Request Done- total:4.066,since last([stream(Domain:ht...):4.066]] But indeed it can be easily used with a massive DDOS. So this is a security issue and since it's already disclosed I make it a subtask of OFBIZ-1525 Please Ingo note that in case of security issues the ASF has some logical recommendations that we relay in the "Security Vulnerabilities" section at http://ofbiz.apache.org/download.html Thanks
        Hide
        iwolf Ingo Wolfmayr added a comment -

        Hi Jaques,

        your right, it took a little longer on my dev environment ~ between 40 to 80 seconds. I did not wait for it to finish before. I changed the title.

        Ingo

        Show
        iwolf Ingo Wolfmayr added a comment - Hi Jaques, your right, it took a little longer on my dev environment ~ between 40 to 80 seconds. I did not wait for it to finish before. I changed the title. Ingo
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Thankd for report Ingo

        I resolved the issue in
        trunk r1781662
        R16.11 and R15.12 r1781664
        Other branches don't contain ecomseo

        I was unable to load your data, got this error

        ERROR: parsing file: ERROR parsing Entity Xml file: org.xml.sax.SAXException: A transaction error occurred reading data<br/>org.xml.sax.SAXException: Fatal Error reading XML on line 2, column 2<br/>org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 2; The markup in the document following the root element must be well-formed.

        and did not look further.

        Please check if the fix is OK with you and close if you agree

        Show
        jacques.le.roux Jacques Le Roux added a comment - Thankd for report Ingo I resolved the issue in trunk r1781662 R16.11 and R15.12 r1781664 Other branches don't contain ecomseo I was unable to load your data, got this error ERROR: parsing file: ERROR parsing Entity Xml file: org.xml.sax.SAXException: A transaction error occurred reading data<br/>org.xml.sax.SAXException: Fatal Error reading XML on line 2, column 2<br/>org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 2; The markup in the document following the root element must be well-formed. and did not look further. Please check if the fix is OK with you and close if you agree
        Hide
        iwolf Ingo Wolfmayr added a comment -

        Thanks Jacques. It works fine!

        Show
        iwolf Ingo Wolfmayr added a comment - Thanks Jacques. It works fine!

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            iwolf Ingo Wolfmayr
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile