[Zope] Zope Best Possible Installation

[Robert Segall]

On Friday 13 June 2003 13:49, you wrote:
> Squid also has a configurable limit on the size of the request body, and
> the size of request headers. I think both of these offer valuable
> protection.

Pound also enforces a limit on the size and number of headers in a request - 
again quite large.

As to the request body: that's a very different can of worms. With the 
addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a 
size limit on the request body is to read the complete request in the proxy 
before passing it to the actual server. Unfortunately that exposes you to a 
nasty DOS attack - all an attacker needs to do is to send you one (or several 
- in parallel) never-ending request(s). You may want to look at a similar 
attack against Apache (published about 5 months ago - google for apache and 
chunked encoding vulnerability).
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904