[Zope-dev] version status
Oliver Bleutgen
myzope@gmx.net
Tue, 17 Jun 2003 10:01:02 +0200
Jamie Heilman wrote:
> Chris Withers wrote:
>
>>Jamie Heilman wrote:
>>
>>>100% correct. Frankly I'm not entirely convinced anonymous users
>>>should ever be able to open a zodb connection,
>>
>>Well, without that, they would never be able to view a page from a Zope
>>site.
>>That would make it tricky to log in ;-)
>
>
> By which I ment being assigned pre-allocated resources vs. allocating
> the resource during the request itself.
I don't quite understand the nature of this DOS attack after the patch.
You do requests with REQUEST['Zope-Versiom'] == <big string>.
If I understand your code correctly (it was bash and perl afterall ;))
you create version i with a version name str(i)*500000.
It seems (to me) that the sole cause for this DOS is that zope stores
the version names in memory, that means you get a memory consumption for
all version name strings of 10*500000 + 90*500000*2 which is 95.000.000
bytes, which is roughly the 90M you reported.
But why does zope store the version names even if the transaction is
aborted, isn't that another bug?
cheers,
oliver