0005355: CardDAV addressbook-multiget report denial-of-service - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0005355	SOGo	Backend Address Book	public	2021-07-12 13:10	2021-09-30 12:14

Reporter	rschuetz	Assigned To	francis
Priority	normal	Severity	crash	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Fixed in Version	5.3.0

Summary	0005355: CardDAV addressbook-multiget report denial-of-service
Description	A CardDAV addressbook-multiget report request like <card:addressbook-multiget xmlns:card="urn:ietf:params:xml:ns:carddav" xmlns:cs="http://calendarserver.org/ns/" xmlns:d="DAV:"> <d:prop> <cs:getetag/> <card:address-data/> </d:prop> <d:href>/SOGo/dav/user/Contacts/public/contact1</d:href> <d:href>/SOGo/dav/user/Contacts/public/contact2</d:href> <d:href>/SOGo/dav/user/Contacts/public/contact3</d:href> […] <d:href>/SOGo/dav/user/Contacts/public/contactn</d:href> </card:addressbook-multiget> for a LDAP-backed addressbook creates n concurrent connections to the LDAP server. This can quickly lead to a denial-of-service situation, if the open file descriptors limit of the SOGo or LDAP process is reached. A better approach would be to reuse a single connection for all n LDAP search operations.
Tags	No tags attached.

sogo: master 3da633ae 2021-09-29 16:00 francis Details Diff	fix(addressbook): reuse LDAP connection in CardDAV report Fixes 0005355	Affected Issues 0005355
	mod - SoObjects/Contacts/SOGoContactSourceFolder.m	Diff File
	mod - SoObjects/SOGo/LDAPSource.m	Diff File
	mod - SoObjects/SOGo/SOGoSource.h	Diff File
	mod - SoObjects/SOGo/SQLSource.m	Diff File

Date Modified	Username	Field	Change
2021-07-12 13:10	rschuetz	New Issue
2021-09-30 12:14	francis	Changeset attached	=> sogo master 3da633ae
2021-09-30 12:14	francis	Assigned To	=> francis
2021-09-30 12:14	francis	Resolution	open => fixed
2021-09-30 12:14	francis	Status	new => resolved
2021-09-30 12:14	francis	Fixed in Version	=> 5.3.0