[resteasy-dev] HttpClient question
Ron Sigal
rsigal at redhat.com
Wed Sep 21 10:34:17 EDT 2016
Cool. Thanks.
On 09/21/2016 08:51 AM, Rebecca Searls wrote:
> I don't see any problem with that change.
>
> ----- Original Message -----
>> From: "Ron Sigal" <rsigal at redhat.com>
>> To: "Rebecca Searls" <rsearls at redhat.com>
>> Cc: resteasy-dev at lists.jboss.org
>> Sent: Tuesday, September 20, 2016 9:01:43 PM
>> Subject: HttpClient question
>>
>> Hi Rebecca,
>>
>> I finally figured out my problem with respect to RESTEASY-1484
>> "CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of
>> service attack". I want to impose a maximum size on the file that gets
>> unzipped, and I was having a problem when the payload was going from
>> server to client. It turns out that, by default, HttpClient will deflate
>> a gzipped payload, so, by the time Resteasy gets it, it's already
>> unzipped. That behavior can be turned off with:
>>
>>> protected HttpClient createDefaultHttpClient()
>>> {
>>> final HttpClientBuilder builder = HttpClientBuilder.create();
>>> RequestConfig.Builder requestBuilder = RequestConfig.custom();
>>> if(defaultProxy != null)
>>> {
>>> requestBuilder.setProxy(defaultProxy);
>>> }
>>> builder.disableContentCompression(); // <<===
>>> builder.setDefaultRequestConfig(requestBuilder.build());
>>> return builder.build();
>>> }
>> Do you see any problem with that?
>>
>> Thanks,
>> Ron
>>
>> --
>> My company's smarter than your company (unless you work for Red Hat)
>>
>>
--
My company's smarter than your company (unless you work for Red Hat)
More information about the resteasy-dev
mailing list