[Zope] Zope Best Possible Installation
Fri, 13 Jun 2003 13:44:25 +0100
On Friday 13 June 2003 13:03, Robert Segall wrote:
> On Friday 13 June 2003 13:49, you wrote:
> > Squid also has a configurable limit on the size of the request body, and
> > the size of request headers. I think both of these offer valuable
> > protection.
> Pound also enforces a limit on the size and number of headers in a request
> - again quite large.
woohooo. Im looking forward to having an opportunity to try Pound.
> As to the request body: that's a very different can of worms. With the
> addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a
> size limit on the request body is to read the complete request in the proxy
> before passing it to the actual server. Unfortunately that exposes you to a
> nasty DOS attack - all an attacker needs to do is to send you one (or
> several - in parallel) never-ending request(s).
Im not sure how squid would handle the chunked request case.
It handles the limit on non-chunked request body sizes by counting bytes, and
severing the TCP connection when the counter gets too big. No buffering. I
guess that would work with chunks too.
(from memory, I didnt think chunked encoding was permitted for request bodies.
For interoperability with http/1.0)
> You may want to look at a
> similar attack against Apache (published about 5 months ago - google for
> apache and chunked encoding vulnerability).
I must have missed that one, but I dont keep up to date with apache these
days. I cant see anything in Google, unless you mean this 12-month-old one.