Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1354

Crowd does not protect itself against searchPrincipals without a predicate

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None
    • Database
    • None
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      See https://extranet.atlassian.com/jira/browse/ADM-2735

      <?xml version="1.0"?>
      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      	<soap:Body>
      		<ns1:searchPrincipals xmlns:ns1="urn:SecurityServer">
      			<ns1:in0>
      				<name xmlns="http://authentication.integration.crowd.atlassian.com">xxx</name>
      				<token xmlns="http://authentication.integration.crowd.atlassian.crowd">xxx</token>
      			</ns1:in0>
      			<ns1:in1/>
      		</ns1:searchPrincipals>
      	</soap:Body>
      </soap:Envelope>
      

      Causes crowd to return all principals, which consumes an potentially unlimited amount of heap, cpu and db resources.

              Unassigned Unassigned
              dcheney David Cheney (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: