Shane Hathaway wrote:
Jamie Heilman wrote:

Whats the status of versions for 2.6.2 and 2.7?  Have there been any
decisions reached?  I saw Jim's code get checked in but it won't
stop the DoS I posted.

Say it a little louder. Here is what I think you're saying:

- Anonymous users can still open a versioned database connection (although now they can't use it)

- Merely opening a versioned connection consumes resources

- Zope does not free those resources as it should

Can you confirm that's what you're seeing? Either we need to make Zope free the resources, or if that's not possible, we need a different strategy.

If I may also add something else, it might be a good idea to limit the namespace where zope looks for a variable named "Zope-Version".

Both and the patch look for this variable in the whole REQUEST, (i.e. via request.get(...)). I'd propose to change that to REQUEST.cookies.get(...). As it is, it violates the principle of least surprise and is also a tad inconsistent, because the patch even assumes that the "Zope-Version" variable came via a cookie (it tries to delete said cookie).

This is not purely aesthetical reasoning, since cookies can be trusted a bit more than other variables coming from the request. You can't inject them from third party sites, for instance.

Limiting the lookup only to REQUEST.cookies would also make client side trojan attacks a bit harder (not that you can't do much worse things with these kinds of attacks).

cheers, oliver

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to