Am Montag, den 05.03.2012, 10:26 -0800 schrieb Luke Scott: > > > > Can't you just run the code on the client side and hook it into the > > server with dnode or something like that? (Or regular AJAX if you're > > worried about DoS attacks - as soon as you run something like socket.io, > > you're pretty much defenseless against mildly sophisticated DoS attacks. > > A few months ago, you could let nodes RAM overflow remotely with a > > single shell command if the remote side was running socket.io (endless > > POST), and now.js was even more vulnerable - a single tiny message, and > > node completely blocked the event loop. At the moment, it probably takes > > a small script to kill a socket.io instance, but it's not hard.) > > > > Unfortunately not. There really isn't a need for AJAX or sockets. The code > responds to events during a GET/POST. The lifecycle of the code is very > short. Any validation that happens on the client side has to be also done > on the server side. What we're doing is very PHP-like.
So you have untrusted code and an untrusted user, and the untrusted code and the untrusted user don't trust each other as well? How many different people will be able to upload untrusted code?
signature.asc
Description: This is a digitally signed message part
