Hi, I closed your bug but I also just commented on it saying "if you send a patch we will apply it" re: disabling timeouts at compile time. I still maintain that this is a *very bad idea* for servers which will live on the public internet, but for intranet/firewalled services it is probably ok or even beneficial to have it as an option.
G On Sat, Jan 29, 2011 at 6:59 PM, tsuraan <[email protected]> wrote: >> I think that would still be trivially exploitable by anyone who knew >> about it. It seems like that kind of work would just lead to a false >> sense of security. > > I've been thinking about this, and I don't see how it's exploitable, > so either I didn't express myself well, or I am missing something. My > thought is that, in the controller function, I need to get a user's > authentication cookie in order to track the user's activity. If the > user is DOS'ing me by trickling bytes to me, then I will time out > while trying to read in the cookie, and I will sever the connection. > If the user gives me a valid authentication cookie and then starts > trickling more data in, then I can at least log the activities of that > user, and take action against a person whose identity is known to me. > Is there a hole in that? > >> It might need to be done with a compile-time flag instead of a runtime >> check for zero. > > That would actually be really great. I basically never want the > framework's core to do any timeouts. I've put this in as a feature > request (https://github.com/snapframework/snap-core/issues/#issue/50) > so it doesn't get lost. > _______________________________________________ > Snap mailing list > [email protected] > http://mailman-mail5.webfaction.com/listinfo/snap > -- Gregory Collins <[email protected]> _______________________________________________ Snap mailing list [email protected] http://mailman-mail5.webfaction.com/listinfo/snap
