[web-devel] limiting POST

Michael Snoyman michael at snoyman.com
Fri Jan 6 04:45:23 CET 2012

On Fri, Jan 6, 2012 at 4:50 AM, Erik de Castro Lopo
<mle+hs at mega-nerd.com> wrote:
> Kazu Yamamoto (山本和彦) wrote:
>> Hello guys,
>> As you may know, "Denial of Service through hash table
>> multi-collisions" was disclosed:
>>       http://permalink.gmane.org/gmane.comp.security.full-disclosure/83694
>> The hashable package is affected but not affected to Yesod suite.
>> However, I guess we should provide size limitation of HTTP body on
>> POST to Warp.
> I disagree with limiting the size. I might be better to for the Warp application
> to consume the POST data in constant space.
> Erik
> --
> ----------------------------------------------------------------------
> Erik de Castro Lopo
> http://www.mega-nerd.com/
> _______________________________________________
> web-devel mailing list
> web-devel at haskell.org
> http://www.haskell.org/mailman/listinfo/web-devel

Actually, the application can have full control over this, by either
ignoring the request body entirely (Warp will essentially stream it to
/dev/null) or throwing an exception.


More information about the web-devel mailing list