On 22 Mar 2001 20:13:20 -0700, Bill Anderson <bill@libc.org> wrote: (my appologies for the delayed reply)
On 22 Mar 2001 16:17:24 +0000, Toby Dickenson wrote:
Is this for an intranet application or something exposed to the raw internet?
IMO ZServer's http implementation isnt sufficiently robust to be exposed directly to untrusted clients.
Upon what do you base this?
There are a number of obvious but minor vulnerabilities. Im sure they are all fixable, but they contribute to giving me a sense of caution. For example the medusa http server buffers incoming http headers in memory using string concatenation, and does not place an upper limit on the total size of headers. A malicious http request containing a large number of headers is an effective denial-of-service attack; consuming memory equal to the size of the headers sent, and O(n^2) processor time (because of the concatenation) [I hope this doesnt come across as FUD; this is the only aspect of Zope security that causes me any concern, and the easy fix (use of a front-end proxy) is recommended for other reasons too] Toby Dickenson tdickenson@geminidataloggers.com