[Zope-dev] stopping the Version DoS

[Jamie Heilman]

Leonardo Rochael Almeida wrote:
> I didn't check the sources to see what solution was finally given to the
> Version DoS attack, but I have a suggestion.

Jim commited a fix, which AFAICT, puts the issue to rest.  What his
fix does is simply remove the version's db connections from the pool
if the connecting user doesn't provide correct authorization creds.
This sort of trades off 1 DoS for another if you want to get picky
about it; now anonymous users can remove a version's db connections at
will.  Evidently, creating connections isn't expensive enough for this
to really matter though, so I think the issue can be considered
closed.  Personally I'm just removing version support entirely from my
tree.
 
-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle 
 into a lion's mouth and flicking his lovespuds with a wet towel, pure 
 insanity..."						-Rimmer