> Shane Hathaway wrote:
> > - Anonymous users can still open a versioned database connection
> > (although now they can't use it)
> > - Merely opening a versioned connection consumes resources
> > - Zope does not free those resources as it should
Then, we should fix the latter issue.
Die
On Tuesday 17 June 2003 09:01, Oliver Bleutgen wrote:
> I don't quite understand the nature of this DOS attack after the patch.
> You do requests with REQUEST['Zope-Versiom'] == .
> If I understand your code correctly (it was bash and perl afterall ;))
> you create version i with a version name st
Jamie Heilman wrote:
Chris Withers wrote:
Jamie Heilman wrote:
100% correct. Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection,
Well, without that, they would never be able to view a page from a Zope
site.
That would make it tricky to log in ;-)
Chris Withers wrote:
> Jamie Heilman wrote:
> >
> >100% correct. Frankly I'm not entirely convinced anonymous users
> >should ever be able to open a zodb connection,
>
> Well, without that, they would never be able to view a page from a Zope
> site.
> That would make it tricky to log in ;-)
By
Jamie Heilman wrote:
100% correct. Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection,
Well, without that, they would never be able to view a page from a Zope site.
That would make it tricky to log in ;-)
Chris
___
Brian Lloyd wrote:
> Have you tested to ensure that the 2.6.2 (CVS) is still open to the
> DoS? If so, could you give me a quick scenario that I could use to
> reproduce it?
I haven't tested 2.6.2, I tested CVS HEAD, assuming the code change to
both was the validated_hook in Zope/App/startup.py
Shane Hathaway wrote:
Jamie Heilman wrote:
Whats the status of versions for 2.6.2 and 2.7? Have there been any
decisions reached? I saw Jim's code get checked in but it won't
stop the DoS I posted.
Say it a little louder. Here is what I think you're saying:
- Anonymous users can still open a
On Sunday 15 June 2003 08:11, Jamie Heilman wrote:
> Whats the status of versions for 2.6.2 and 2.7? Have there been any
> decisions reached? I saw Jim's code get checked in but it won't
> stop the DoS I posted.
Ive not tested Jims code, but it looks to me like it *should* stop that
attack. Hav
Jamie Heilman wrote:
Whats the status of versions for 2.6.2 and 2.7? Have there been any
decisions reached? I saw Jim's code get checked in but it won't
stop the DoS I posted.
Say it a little louder. Here is what I think you're saying:
- Anonymous users can still open a versioned database conne