Oliver Bleutgen wrote:
> 2. Zope doesn't care if a correspondending Version instance to the value 
> of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for 
> the value of that Zope-Version variable at all.

Hmm, it doesn't care, but it does store it in memory.  Pardon my fugly
non-portable bashisms here, but I just wanted to hash out an example:

exec >/dev/null
for i in `seq 100`; do
  w3m -dump -post <(perl -e 'print "Zope-Version=",$ARGV[0]x500000' $i) "$h"

Quick way to add 100 zodb connections and ~90M to the memory footprint
with relatively little clue of who is responsible assuming traditional
logging; presumeably one would get much trickier if they really wanted
to obfuscate the source of attack, slowly crawling the site, changing
the user-agent string, etc.  Under sane resource limits the host is
spared however the /Control_Panel/Database/manage_cacheParameters
resource becomes unavailable due to memory constraints.

Other side-effects from allowing anonymous clients to open additional
zodb connections are as of yet unknown to me, anyone care to speculate
on other vectors of abuse?

Jamie Heilman                   http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality.  Before we know the words
 for it, before we know there are words, out we come bloodied and squalling
 with the knowledge that for all the compasses in the world, there's only
 one direction, and time is its only measure."          -Rosencrantz

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to