Leonardo Rochael Almeida wrote:
I didn't check the sources to see what solution was finally given to the Version DoS attack, but I have a suggestion.
Jim commited a fix, which AFAICT, puts the issue to rest. What his fix does is simply remove the version's db connections from the pool if the connecting user doesn't provide correct authorization creds. This sort of trades off 1 DoS for another if you want to get picky about it; now anonymous users can remove a version's db connections at will. Evidently, creating connections isn't expensive enough for this to really matter though, so I think the issue can be considered closed. Personally I'm just removing version support entirely from my tree. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer