Cool. Thanks.
On 09/21/2016 08:51 AM, Rebecca Searls wrote:
I don't see any problem with that change.
----- Original Message -----
> From: "Ron Sigal" <rsigal(a)redhat.com>
> To: "Rebecca Searls" <rsearls(a)redhat.com>
> Cc: resteasy-dev(a)lists.jboss.org
> Sent: Tuesday, September 20, 2016 9:01:43 PM
> Subject: HttpClient question
>
> Hi Rebecca,
>
> I finally figured out my problem with respect to RESTEASY-1484
> "CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of
> service attack". I want to impose a maximum size on the file that gets
> unzipped, and I was having a problem when the payload was going from
> server to client. It turns out that, by default, HttpClient will deflate
> a gzipped payload, so, by the time Resteasy gets it, it's already
> unzipped. That behavior can be turned off with:
>
>> protected HttpClient createDefaultHttpClient()
>> {
>> final HttpClientBuilder builder = HttpClientBuilder.create();
>> RequestConfig.Builder requestBuilder = RequestConfig.custom();
>> if(defaultProxy != null)
>> {
>> requestBuilder.setProxy(defaultProxy);
>> }
>> builder.disableContentCompression(); // <<===
>> builder.setDefaultRequestConfig(requestBuilder.build());
>> return builder.build();
>> }
> Do you see any problem with that?
>
> Thanks,
> Ron
>
> --
> My company's smarter than your company (unless you work for Red Hat)
>
>
--
My company's smarter than your company (unless you work for Red Hat)