Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop mandatory gzip compression #376

Merged
merged 1 commit into from
Mar 14, 2017
Merged

Drop mandatory gzip compression #376

merged 1 commit into from
Mar 14, 2017

Conversation

ctron
Copy link
Contributor

@ctron ctron commented Mar 13, 2017

This PR drops the gzip compression servlet filter.

  1. The servlet is deprected and missing in most recent Jetty versions
  2. When using HTTPS (and Kapua should be used over HTTPS) then gzip
    compression might trigger the BREACH exploit
  3. If compression is still wanted, it should be enabled in the
    front-facing HTTP engine
  4. It fixes an issue with the out date GWT plugin

[1] https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29

@ctron
Drop mandatory gzip compression
9800f2f 
This PR drops the gzip compression servlet filter.

1) The servlet is deprected and missing in most recent Jetty versions
2) When using HTTPS (and Kapua should be used over HTTPS) then gzip
compression might trigger the BREACH exploit
3) If compression is still wanted, it should be enabled in the
front-facing HTTP engine
4) It fixes an issue with the out date GWT plugin

[1] https://en.wikipedia.org/wiki/BREACH_%28security_exploit%29
@ctron ctron added Console GWT This issue/PR is related to Admin Web Console Security This issue/PR has some security critical aspect and should be issued as soon as possible labels Mar 13, 2017
@ctron ctron added this to the Kapua 1.0 milestone Mar 13, 2017
@ctron
Copy link
Contributor Author

ctron commented Mar 13, 2017

Fixes #374

@ctron ctron merged commit 023a0ba into eclipse:develop Mar 14, 2017
@ctron ctron deleted the feature/drop_gzip_servlet_1 branch March 14, 2017 08:14
@lorthirk
Copy link

lorthirk commented Mar 14, 2017
edited

@kartben as per your suggestion I opened an issue on Bugzilla to further investigate this item since it has security implications, but it seems the issue is still publicly available with no restrictions. Isn't http://bugs.eclipse.org the correct URL for this?

@lorthirk
Copy link

The followup issue is tracked here. Any input is really appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lorthirk lorthirk lorthirk approved these changes

Assignees
No one assigned
Labels
Console GWT This issue/PR is related to Admin Web Console Security This issue/PR has some security critical aspect and should be issued as soon as possible
Projects
None yet
Milestone
Kapua 1.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ctron @lorthirk