Crowd does not protect itself against searchPrincipals without a predicate

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Won't Fix
    • None
    • Component/s: Database
    • None

      See https://extranet.atlassian.com/jira/browse/ADM-2735

      <?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soap:Body>
		<ns1:searchPrincipals xmlns:ns1="urn:SecurityServer">
			<ns1:in0>
				<name xmlns="http://authentication.integration.crowd.atlassian.com">xxx</name>
				<token xmlns="http://authentication.integration.crowd.atlassian.crowd">xxx</token>
			</ns1:in0>
			<ns1:in1/>
		</ns1:searchPrincipals>
	</soap:Body>
</soap:Envelope>

      Causes crowd to return all principals, which consumes an potentially unlimited amount of heap, cpu and db resources.

            Assignee:
            Unassigned
            Reporter:
            David Cheney (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: