I don't see any problem with that change.
----- Original Message -----
From: "Ron Sigal" <rsigal(a)redhat.com>
To: "Rebecca Searls" <rsearls(a)redhat.com>
Cc: resteasy-dev(a)lists.jboss.org
Sent: Tuesday, September 20, 2016 9:01:43 PM
Subject: HttpClient question
Hi Rebecca,
I finally figured out my problem with respect to RESTEASY-1484
"CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of
service attack". I want to impose a maximum size on the file that gets
unzipped, and I was having a problem when the payload was going from
server to client. It turns out that, by default, HttpClient will deflate
a gzipped payload, so, by the time Resteasy gets it, it's already
unzipped. That behavior can be turned off with:
> protected HttpClient createDefaultHttpClient()
> {
> final HttpClientBuilder builder = HttpClientBuilder.create();
> RequestConfig.Builder requestBuilder = RequestConfig.custom();
> if(defaultProxy != null)
> {
> requestBuilder.setProxy(defaultProxy);
> }
> builder.disableContentCompression(); // <<===
> builder.setDefaultRequestConfig(requestBuilder.build());
> return builder.build();
> }
Do you see any problem with that?
Thanks,
Ron
--
My company's smarter than your company (unless you work for Red Hat)