https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37893
--- Comment #34 from David Cook <[email protected]> --- Sorry my bug mail is broken so I didn't get this. Just noticed your response by chance... (In reply to Pedro Amorim from comment #31) > (In reply to David Cook from comment #29) > > Theoretically, you could DOS > > a server (accidentally or maliciously) by feeding in server-params that fill > > up the process table. > > Can you please provide an example / test plan to reproduce / replicate this > so I can address it? Just looking up the process limits now. It looks like filling up the process table might not be possible when running the SIP server as a non-root user, since non-root users should have limits on the number of processes they can run. So it looks like I might be wrong there. But you could still create problems even as a non-root user. Basically just put the your min_servers, max_servers, and min_spare_servers to very high values. For instance, max_servers 500000 and min_spare_servers 450000. Keep in mind that the server-params are passed to the SIP server completely un-checked and un-sanitized, and that all parameters listened in the "CONFIGURATION FILE" section of Net::Server::PreFork can be used. It's just way too much control. > (In reply to David Cook from comment #30) > > I agree with the original idea that "accounts" and "institutions" should be > > moved into the DB/web UI, but "listeners" and "server-params" really should > > not be. > > > > "syspref_overrides"... I'm not familiar enough with the use of that in the > > SIP server, so I don't have ready comment on that one. > > You are proposing that only the accounts and institutions part is moved out > of SIPConfig.xml. Everything else related to SIP configuration is kept in > SIPConfig.xml. Is that correct? More or less. Basically, I'm saying "listeners" and "server-params" should stay in SIPConfig.xml. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
