[web-devel] limiting POST
Michael Snoyman
michael at snoyman.com
Fri Jan 6 04:45:23 CET 2012
On Fri, Jan 6, 2012 at 4:50 AM, Erik de Castro Lopo
<mle+hs at mega-nerd.com> wrote:
> Kazu Yamamoto (山本和彦) wrote:
>
>> Hello guys,
>>
>> As you may know, "Denial of Service through hash table
>> multi-collisions" was disclosed:
>>
>> http://permalink.gmane.org/gmane.comp.security.full-disclosure/83694
>>
>> The hashable package is affected but not affected to Yesod suite.
>> However, I guess we should provide size limitation of HTTP body on
>> POST to Warp.
>
> I disagree with limiting the size. I might be better to for the Warp application
> to consume the POST data in constant space.
>
> Erik
> --
> ----------------------------------------------------------------------
> Erik de Castro Lopo
> http://www.mega-nerd.com/
>
> _______________________________________________
> web-devel mailing list
> web-devel at haskell.org
> http://www.haskell.org/mailman/listinfo/web-devel
Actually, the application can have full control over this, by either
ignoring the request body entirely (Warp will essentially stream it to
/dev/null) or throwing an exception.
Michael
More information about the web-devel
mailing list