tracker issue : CF-3915823

select a category, or use search below
(searches all categories and all time range)
Title:

[ANeff] ER for: RestDeleteApplication("restapp", {useHost=true}) and RestDeleteApplication({useHost=true})

| View in Tracker

Status/Resolution/Reason: To Fix//

Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)

Created: 01/03/2015

Components: REST Services

Versions: 11.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win All

Vote Count: 1

Applications are currently able to use restInitApplication(.. {host="www.anothersite.com"}) to steal each other's REST traffic, so restDeleteApplication() should accept {useHost=true}.

Repro:
1) www.site1.com and www.site2.com are on the same server
2) www.site1.com used restInitApplication("c:\site1", "restapp", {host="www.site2.com"}) to steal www.site2.com's "restapp" traffic
3) www.site2.com gets an error when trying to use restInitApplication("c:\site2", "restapp", {useHost=true}) to register its "restapp"
4) www.site2.com tries to use restDeleteApplication() to undo #2, but there is not any option for doing this
5) www.site2.com should be able to use restDeleteApplication("restapp", {useHost=true}) to undo #2 so that #3 will succeed

Suggestions:

The following would unregister "restapp" for the current host:
restDeleteApplication("restapp", {useHost=true})
he following would unregister all REST apps for the current host:
restDeleteApplication({useHost=true})

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3915823

External Customer Info:
External Company:  
External Customer Name: itisdesign
External Customer Email:

Attachments:

Comments:

+1 //////////////////////////////////////
Vote by External U.
9153 | January 06, 2015 07:15:02 AM GMT
Hi Aaron, Wanted to understand your requirement about the ER, as you can use RestDeleteApplication(dirPath), for doing the same. except that we give the dirPath here, but serviceName in the example that you mentioned.
Comment by HariKrishna K.
9151 | January 09, 2015 10:41:20 AM GMT
Hi Hari, I didn't use dirPath in my example, b/c the victim app wouldn't know the dirPath that the hacker app had used. The use case is there could be a 'victim site' and a 'hacker site'. In my repro example above, www.site1.com is the hacker site and www.site2.com is the victim site. They would be on the same server. The hacker site had registered the service name using the hacker's dirPath and the victim's host. The hacker site now gets the victim site's REST traffic. Since the victim doesn't know the hacker's dirPath, the victim is unable to use restDeleteApplication() b/c that requires dirPath. And since the victim site is unable to unregister the hacker's registration, it is unable to register the same registration for itself. But, the victim _could_ use restDeleteApplication() if it accepted the service name and useHost=true (this way the service name could be unregistered for the current host). Of course, restDeleteApplication() should never permit the host to be manually specified (i.e. it should not allow this: {host="www.foo.com"}) b/c then other sites could unregister each other's REST apps. Instead, it should use only use the host from the CGI scope. Basically, I'm asking for restDeleteApplication() to allow, in addition to optional service name, {useHost=true} but NEVER allow {host=".."}. If service name is specified, then only that service name is unregistered for the current host. If service name is not specified, then all service names would be unregistered for the current host. Thanks!, -Aaron
Comment by External U.
9152 | January 09, 2015 03:18:31 PM GMT