> Whether or not CONTENT_LENGTH is set (and it wouldn't be present in the case > of a malicious attack, though not sure if some other part of the HTTP stack > catches that), > the current approaches read the whole stream into a tempfile.
It's not entirely up to the attacker, it depends on the server. The attacker might omit Content-Length but the WSGI gateway can handle that by pre-reading the input stream and setting actual CONTENT_LENGTH, in that case Pylons app is not the place to handle the limits anyway. I'd say it's not the place in any case because the server / gate or middleware should do that. -- Best Regards, Sergey Schetinin http://s3bk.com/ -- S3 Backup http://word-to-html.com/ -- Word to HTML Converter _______________________________________________ Paste-users mailing list [email protected] http://webwareforpython.org/cgi-bin/mailman/listinfo/paste-users
