Hi Rebecca,
I finally figured out my problem with respect to RESTEASY-1484
"CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of
service attack". I want to impose a maximum size on the file that gets
unzipped, and I was having a problem when the payload was going from
server to client. It turns out that, by default, HttpClient will deflate
a gzipped payload, so, by the time Resteasy gets it, it's already
unzipped. That behavior can be turned off with:
protected HttpClient createDefaultHttpClient()
{
final HttpClientBuilder builder = HttpClientBuilder.create();
RequestConfig.Builder requestBuilder = RequestConfig.custom();
if(defaultProxy != null)
{
requestBuilder.setProxy(defaultProxy);
}
builder.disableContentCompression(); // <<===
builder.setDefaultRequestConfig(requestBuilder.build());
return builder.build();
}
Do you see any problem with that?
Thanks,
Ron
--
My company's smarter than your company (unless you work for Red Hat)