Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1354

Crowd does not protect itself against searchPrincipals without a predicate

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Won't Fix
    • None
    • Database
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      See https://extranet.atlassian.com/jira/browse/ADM-2735

      <?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<soap:Body>
		<ns1:searchPrincipals xmlns:ns1="urn:SecurityServer">
			<ns1:in0>
				<name xmlns="http://authentication.integration.crowd.atlassian.com">xxx</name>
				<token xmlns="http://authentication.integration.crowd.atlassian.crowd">xxx</token>
			</ns1:in0>
			<ns1:in1/>
		</ns1:searchPrincipals>
	</soap:Body>
</soap:Envelope>

      Causes crowd to return all principals, which consumes an potentially unlimited amount of heap, cpu and db resources.

      Attachments

        Issue Links

          is detailed by

          Suggestion - CWD-1508 Create a new Security Server API for Crowd that exposes the improvements made to the underlying Remote Directory API.

          • Closed

          Activity

            People

              Unassigned Unassigned
              dcheney David Cheney (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: