eZ Community » Security Advisories » EZSA-2016-006: ezjscore: add hard...

EZSA-2016-006: ezjscore: add hard limit in ezjscnode::subtree

Publication date : 13/09/2016
Severity : Medium
Affected versions : 4.4-5.4, all community versions at time of writing (legacy only)
Resolving versions : 5.4.7, 5.3.9, and published service packs for all other supported versions

The eZ JS Core subtree method does not impose a maximum limit on nodes to fetch. Since the result is not cached, calling this function with extremely high limits could potentially lead sites with large content databases to be overloaded. The patch adds a setting in ezjscore.ini [ezjscServer_ezjscnode] HardLimit where you can specify an upper limit. This is not set by default, you could for example set it to 100, if your site doesn't require more than this. We recommend that you install this Security Update as soon as possible.

Patch for eZ Publish (eZ JS Core): https://github.com/ezsystems/ezpublish-legacy/commit/d76ce9824dabaceeefa77530c8c611e447d1b109

36 542 Users on board!

Community Project menu

Proudly Developed with from