View Issue Details

IDProjectCategoryView StatusLast Update
0005355SOGoBackend Address Bookpublic2021-09-30 12:14
Reporterrschuetz Assigned Tofrancis  
PrioritynormalSeveritycrashReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version5.3.0 
Summary0005355: CardDAV addressbook-multiget report denial-of-service
Description

A CardDAV addressbook-multiget report request like

<card:addressbook-multiget xmlns:card="urn:ietf:params:xml:ns:carddav" xmlns:cs="http://calendarserver.org/ns/&quot; xmlns:d="DAV:">
<d:prop>
<cs:getetag/>
<card:address-data/>
</d:prop>
<d:href>/SOGo/dav/user/Contacts/public/contact1</d:href>
<d:href>/SOGo/dav/user/Contacts/public/contact2</d:href>
<d:href>/SOGo/dav/user/Contacts/public/contact3</d:href>
[…]
<d:href>/SOGo/dav/user/Contacts/public/contactn</d:href>
</card:addressbook-multiget>

for a LDAP-backed addressbook creates n concurrent connections to the LDAP server. This can quickly lead to a denial-of-service situation, if the open file descriptors limit of the SOGo or LDAP process is reached. A better approach would be to reuse a single connection for all n LDAP search operations.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-07-12 13:10 rschuetz New Issue
2021-09-30 12:14 francis Source_changeset_attached => sogo master 3da633ae
2021-09-30 12:14 francis Assigned To => francis
2021-09-30 12:14 francis Resolution open => fixed
2021-09-30 12:14 francis Status new => resolved
2021-09-30 12:14 francis Fixed in Version => 5.3.0