[resteasy-dev] HttpClient question
Ron Sigal
rsigal at redhat.com
Tue Sep 20 21:01:43 EDT 2016
Hi Rebecca,
I finally figured out my problem with respect to RESTEASY-1484
"CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of
service attack". I want to impose a maximum size on the file that gets
unzipped, and I was having a problem when the payload was going from
server to client. It turns out that, by default, HttpClient will deflate
a gzipped payload, so, by the time Resteasy gets it, it's already
unzipped. That behavior can be turned off with:
> protected HttpClient createDefaultHttpClient()
> {
> final HttpClientBuilder builder = HttpClientBuilder.create();
> RequestConfig.Builder requestBuilder = RequestConfig.custom();
> if(defaultProxy != null)
> {
> requestBuilder.setProxy(defaultProxy);
> }
> builder.disableContentCompression(); // <<===
> builder.setDefaultRequestConfig(requestBuilder.build());
> return builder.build();
> }
Do you see any problem with that?
Thanks,
Ron
--
My company's smarter than your company (unless you work for Red Hat)
More information about the resteasy-dev
mailing list