Services Kit: No locking around access to HTTP context information such as authentication
|Reported by:||stippi||Owned by:||pulkomandy|
As time permits, I am trying to give the HTTP portion of the Services Kit a code review. Since I am not sure whether I find the time to investigate the problems I find more closely, or even fix them, I want to document my findings.
I think I have found one serious problem so far: There seems to be no locking around accessing the authentication per URL in the global HTTP context. This means there are several race conditions that can lead to memory corruption. There needs to be locking for accessing the hashmap of authentications per URL. And the authentication needs to be accessed via reference counting, so that the authentication object obtained in a HTTP thread can be used without the chance of it going away. This can happen when another HTTP thread replaces the authentication for a given URL. The old one needs to stay valid until all references are released.