[ZODB-Dev] ZEO pack

[Toby Dickenson]

On Wed, 26 Sep 2001 10:09:47 -0400 (EDT), Jeremy Hylton
<jeremy@zope.com> wrote:

>I guess you have to modify manage_pack() to call pack with the wait
>argument.  I don't know Zope well enough to have a better answer.
>Perhaps there should be an option in the management interface to
>request a synchronous pack.

Watch out... the obvious way of doing this introduces a
denial-of-service vulnerability.

ZEO uses python pickles in the ZEO client / ZEO server rpc, but turns
off the detection of recursive objects as an optimisation.

If the value of the 'wait' parameter can be supplied through-the-web,
then anyone who can arrange for that value to be a recursive object
will be able to lock up your ZEO client, as it pickles an apparently
infinite object.


This used to be in the Collector.....

Toby Dickenson
tdickenson@geminidataloggers.com