On Nov 28, 2012, at 12:46 AM, Matthew Serrano wrote: > I ran into a limit on the number of parameters submitted by a form and found > this: > http://www.caucho.com/resin-4.0/changes/resin-4.0.25.xtp#POSTparameterlimitDOSProtection > > I changed my QA server to accept up to 20,000 as a work around to my specific > problem (turns out I am submitting around 15k parameters). What is the risk > of setting this max at 20k or higher? Is it simply resource utilization or is > there some other risk that I should be careful to avoid? Processing my form > after the change was as fast as any other form in my app.
Hi Matt, This change was in response to the "hashdos" attack that was widely publicized late last year. In simplest terms, form parameters are stored in a hashtable, and hashing becomes CPU intensive with increasing numbers of keys and collisions. This leads to a DOS attack if the number of parameters is not limited. Google for "hashdos" or see: http://arstechnica.com/business/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack/ > > FYI, not sure I really like the idea of submitting 20k parameters but I don't > think I can split this particular form into smaller sets easily…or at least > not quickly. I believe we felt even 10k was unrealistically high and anyone coming close to that probably needed to reevaluate their form submission, but "suum cuique". Thanks, Paul > thanks > matt > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest =============================== Paul Cowan, Software Engineer Caucho Technology co...@caucho.com http://blog.caucho.com http://twitter.com/cauchoresin
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
