[resteasy-dev] HttpClient question
Rebecca Searls
rsearls at redhat.com
Wed Sep 21 08:51:42 EDT 2016
I don't see any problem with that change.
----- Original Message -----
> From: "Ron Sigal" <rsigal at redhat.com>
> To: "Rebecca Searls" <rsearls at redhat.com>
> Cc: resteasy-dev at lists.jboss.org
> Sent: Tuesday, September 20, 2016 9:01:43 PM
> Subject: HttpClient question
>
> Hi Rebecca,
>
> I finally figured out my problem with respect to RESTEASY-1484
> "CVE-2016-6346: Abuse of GZIPInterceptor in can lead to denial of
> service attack". I want to impose a maximum size on the file that gets
> unzipped, and I was having a problem when the payload was going from
> server to client. It turns out that, by default, HttpClient will deflate
> a gzipped payload, so, by the time Resteasy gets it, it's already
> unzipped. That behavior can be turned off with:
>
> > protected HttpClient createDefaultHttpClient()
> > {
> > final HttpClientBuilder builder = HttpClientBuilder.create();
> > RequestConfig.Builder requestBuilder = RequestConfig.custom();
> > if(defaultProxy != null)
> > {
> > requestBuilder.setProxy(defaultProxy);
> > }
> > builder.disableContentCompression(); // <<===
> > builder.setDefaultRequestConfig(requestBuilder.build());
> > return builder.build();
> > }
>
> Do you see any problem with that?
>
> Thanks,
> Ron
>
> --
> My company's smarter than your company (unless you work for Red Hat)
>
>
More information about the resteasy-dev
mailing list