On Fri, Jan 6, 2012 at 4:50 AM, Erik de Castro Lopo
Kazu Yamamoto (山本和彦) wrote:
Hello guys,
As you may know, "Denial of Service through hash table multi-collisions" was disclosed:
http://permalink.gmane.org/gmane.comp.security.full-disclosure/83694
The hashable package is affected but not affected to Yesod suite. However, I guess we should provide size limitation of HTTP body on POST to Warp.
I disagree with limiting the size. I might be better to for the Warp application to consume the POST data in constant space.
Erik -- ---------------------------------------------------------------------- Erik de Castro Lopo http://www.mega-nerd.com/
_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel
Actually, the application can have full control over this, by either ignoring the request body entirely (Warp will essentially stream it to /dev/null) or throwing an exception. Michael