Jamie Heilman wrote:
Chris Withers wrote:

Jamie Heilman wrote:

100% correct. Frankly I'm not entirely convinced anonymous users
should ever be able to open a zodb connection,

Well, without that, they would never be able to view a page from a Zope site.
That would make it tricky to log in ;-)

By which I ment being assigned pre-allocated resources vs. allocating
the resource during the request itself.

I don't quite understand the nature of this DOS attack after the patch. You do requests with REQUEST['Zope-Versiom'] == <big string>.
If I understand your code correctly (it was bash and perl afterall ;)) you create version i with a version name str(i)*500000.
It seems (to me) that the sole cause for this DOS is that zope stores the version names in memory, that means you get a memory consumption for all version name strings of 10*500000 + 90*500000*2 which is 95.000.000 bytes, which is roughly the 90M you reported.

But why does zope store the version names even if the transaction is aborted, isn't that another bug?

cheers, oliver

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to