View Issue Details

IDProjectCategoryView StatusLast Update
0005355SOGoBackend Address Bookpublic2021-07-12 09:10
Reporterrschuetz Assigned To 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status newResolutionopen 
Summary0005355: CardDAV addressbook-multiget report denial-of-service
Description

A CardDAV addressbook-multiget report request like

<card:addressbook-multiget xmlns:card="urn:ietf:params:xml:ns:carddav" xmlns:cs="http://calendarserver.org/ns/&quot; xmlns:d="DAV:">
<d:prop>
<cs:getetag/>
<card:address-data/>
</d:prop>
<d:href>/SOGo/dav/user/Contacts/public/contact1</d:href>
<d:href>/SOGo/dav/user/Contacts/public/contact2</d:href>
<d:href>/SOGo/dav/user/Contacts/public/contact3</d:href>
[…]
<d:href>/SOGo/dav/user/Contacts/public/contactn</d:href>
</card:addressbook-multiget>

for a LDAP-backed addressbook creates n concurrent connections to the LDAP server. This can quickly lead to a denial-of-service situation, if the open file descriptors limit of the SOGo or LDAP process is reached. A better approach would be to reuse a single connection for all n LDAP search operations.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-07-12 09:10 rschuetz New Issue