small summary and big plea was:(Re: [Zope-dev] Versions: should they die?)

Toby Dickenson tdickenson@geminidataloggers.com
Tue, 10 Jun 2003 08:56:35 +0100 

--Boundary-00=_z8Y5+uFrBJLCZ2c
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Friday 06 June 2003 21:28, Jamie Heilman wrote:

> Quick way to add 100 zodb connections and ~90M to the memory footprint
> with relatively little clue of who is responsible assuming traditional
> logging; presumeably one would get much trickier if they really wanted
> to obfuscate the source of attack, slowly crawling the site, changing
> the user-agent string, etc. 

Attached is a temporary patch to block this denial of service attack. This 
patch applies cleanly to the trunk and the 2.6 branch. This patch works by 
blocking all access to versions in the publisher, so dont apply it if you 
cant afford to stop using versions

-- 
Toby Dickenson
http://www.geminidataloggers.com/people/tdickenson
--Boundary-00=_z8Y5+uFrBJLCZ2c
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="noversions.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="noversions.diff"

Index: lib/python/ZODB/ZApplication.py
===================================================================
RCS file: /cvs-repository/Zope/lib/python/ZODB/ZApplication.py,v
retrieving revision 1.13
diff -c -2 -r1.13 ZApplication.py
*** lib/python/ZODB/ZApplication.py	8 Apr 2003 18:48:22 -0000	1.13
--- lib/python/ZODB/ZApplication.py	9 Jun 2003 22:58:43 -0000
***************
*** 42,49 ****
  
      def __bobo_traverse__(self, REQUEST=None, name=None):
!         db, aname, version_support = self._stuff
!         if version_support is not None and REQUEST is not None:
!             version=REQUEST.get(version_support,'')
!         else: version=''
          conn=db.open(version)
  
--- 42,53 ----
  
      def __bobo_traverse__(self, REQUEST=None, name=None):
!         # Disable nasty insecure version support. Thanks to
!         # Jamie Heilman and everyone one zope-dev
!         #
!         # db, aname, version_support = self._stuff
!         # if version_support is not None and REQUEST is not None:
!         #     version=REQUEST.get(version_support,'')
!         # else: version=''
!         version = ''
          conn=db.open(version)
  

--Boundary-00=_z8Y5+uFrBJLCZ2c--