Jamie Heilman wrote:
100% correct. Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection,
Well, without that, they would never be able to view a page from a Zope site.
That would make it tricky to log in ;-)
Chris
Chris Withers wrote:
Jamie Heilman wrote:
100% correct. Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection,
Well, without that, they would never be able to view a page from a Zope
site.
That would make it tricky to log in ;-)
By which I
Jamie Heilman wrote:
Chris Withers wrote:
Jamie Heilman wrote:
100% correct. Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection,
Well, without that, they would never be able to view a page from a Zope
site.
That would make it tricky to log in ;-)
On Tuesday 17 June 2003 09:01, Oliver Bleutgen wrote:
I don't quite understand the nature of this DOS attack after the patch.
You do requests with REQUEST['Zope-Versiom'] == big string.
If I understand your code correctly (it was bash and perl afterall ;))
you create version i with a version
Shane Hathaway wrote:
- Anonymous users can still open a versioned database connection
(although now they can't use it)
- Merely opening a versioned connection consumes resources
- Zope does not free those resources as it should
Then, we should fix the latter issue.
Dieter
Jamie Heilman wrote:
Whats the status of versions for 2.6.2 and 2.7? Have there been any
decisions reached? I saw Jim's code get checked in but it won't
stop the DoS I posted.
Say it a little louder. Here is what I think you're saying:
- Anonymous users can still open a versioned database
On Sunday 15 June 2003 08:11, Jamie Heilman wrote:
Whats the status of versions for 2.6.2 and 2.7? Have there been any
decisions reached? I saw Jim's code get checked in but it won't
stop the DoS I posted.
Ive not tested Jims code, but it looks to me like it *should* stop that
attack. Have
Shane Hathaway wrote:
Jamie Heilman wrote:
Whats the status of versions for 2.6.2 and 2.7? Have there been any
decisions reached? I saw Jim's code get checked in but it won't
stop the DoS I posted.
Say it a little louder. Here is what I think you're saying:
- Anonymous users can still open
Brian Lloyd wrote:
Have you tested to ensure that the 2.6.2 (CVS) is still open to the
DoS? If so, could you give me a quick scenario that I could use to
reproduce it?
I haven't tested 2.6.2, I tested CVS HEAD, assuming the code change to
both was the validated_hook in Zope/App/startup.py
Whats the status of versions for 2.6.2 and 2.7? Have there been any
decisions reached? I saw Jim's code get checked in but it won't
stop the DoS I posted.
--
Jamie Heilman http://audible.transient.net/~jamie/
It's almost impossible to overestimate the unimportance of most
10 matches
Mail list logo