Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Merge branch '2.3' of ezsystems/ezplatform-http-cache into 4.6 #55

Merged
merged 2 commits into from
Nov 28, 2024
Merged

Merge branch '2.3' of ezsystems/ezplatform-http-cache into 4.6 #55

merged 2 commits into from
Nov 28, 2024

Conversation

ezrobot
Copy link

@ezrobot ezrobot commented Nov 28, 2024

Cross merge PR

@alongosz
Copy link
Member

@glye you have conflicts here.

Does github now generate those commits like "Merge commit from fork"? Keep in mind that commit like this won't be visible in auto-generated changelogs. However we can merge this PR adding IBX-XXX: prefix.

@glye
Copy link
Contributor

glye commented Nov 28, 2024
edited
Loading

@alongosz The "Merge commit from fork" is automatic, yes.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@glye
Copy link
Contributor

glye commented Nov 28, 2024

@alongosz Manual merge done, hope I didn't 🪛 it up.

@alongosz
Copy link
Member

@alongosz The form the merge should take is https://github.com/ibexa/http-cache-ghsa-fh7v-q458-7vmw/pull/1/files

I don't have access to it @glye (:

@glye
Copy link
Contributor

glye commented Nov 28, 2024
edited
Loading

@alongosz Sorry, I removed it already. But I'm pretty sure I got it right :)

konradoboza
konradoboza approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@konradoboza konradoboza left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't able to dig deep enough to have some further context on compression, but it feels like we are skipping it for some important content types (REST-related, JSON). I wonder if that has any repercussions on performance but I guess that wasn't checked, wasn't that? +1 to unblock release.

@glye
Copy link
Contributor

glye commented Nov 28, 2024
edited
Loading

Yes, there can be a performance impact, but fixing it in other ways than turning off compression is a hard problem to solve, with security pitfalls. Ref. https://www.breachattack.com/
We can discuss it after release, agree to unblock release.

@konradoboza
Copy link
Contributor

konradoboza commented Nov 28, 2024
edited
Loading

At least rate-limiting looks like potential low-hanging fruit, but this still only reduces the breach probability. Thanks for the details @glye.

@glye glye merged commit e03f683 into 4.6 Nov 28, 2024
24 checks passed
@glye glye deleted the temp_2.3_to_4.6 branch November 28, 2024 12:38
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@konradoboza konradoboza konradoboza approved these changes

@ViniTou ViniTou ViniTou approved these changes

@alongosz alongosz alongosz approved these changes

@dabrt dabrt Awaiting requested review from dabrt

@mnocon mnocon Awaiting requested review from mnocon

@ibexa-yuna ibexa-yuna Awaiting requested review from ibexa-yuna

Assignees

@alongosz alongosz

@konradoboza konradoboza

Labels
Ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ezrobot @alongosz @glye @konradoboza @ViniTou