Re: [resteasy-dev] HttpClient question

From: "Ron Sigal" <rsigal(a)redhat.com&gt; To: "Rebecca Searls" <rsearls(a)redhat.com&gt; Cc: resteasy-dev(a)lists.jboss.org Sent: Tuesday, September 20, 2016 9:01:43 PM Subject: HttpClient question Hi Rebecca, I finally figured out my problem with respect to RESTEASY-1484 "CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of service attack". I want to impose a maximum size on the file that gets unzipped, and I was having a problem when the payload was going from server to client. It turns out that, by default, HttpClient will deflate a gzipped payload, so, by the time Resteasy gets it, it's already unzipped. That behavior can be turned off with: > protected HttpClient createDefaultHttpClient() > { > final HttpClientBuilder builder = HttpClientBuilder.create(); > RequestConfig.Builder requestBuilder = RequestConfig.custom(); > if(defaultProxy != null) > { > requestBuilder.setProxy(defaultProxy); > } > builder.disableContentCompression(); // <<=== > builder.setDefaultRequestConfig(requestBuilder.build()); > return builder.build(); > } Do you see any problem with that? Thanks, Ron -- My company's smarter than your company (unless you work for Red Hat)