On Fri, Jan 6, 2012 at 4:50 AM, Erik de Castro Lopo wrote:

Kazu Yamamoto (山本和彦) wrote:

...

Hello guys,

As you may know, "Denial of Service through hash table multi-collisions" was disclosed:

      http://permalink.gmane.org/gmane.comp.security.full-disclosure/83694

The hashable package is affected but not affected to Yesod suite. However, I guess we should provide size limitation of HTTP body on POST to Warp.

I disagree with limiting the size. I might be better to for the Warp application to consume the POST data in constant space.

Erik -- ---------------------------------------------------------------------- Erik de Castro Lopo http://www.mega-nerd.com/

_______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel

Actually, the application can have full control over this, by either ignoring the request body entirely (Warp will essentially stream it to /dev/null) or throwing an exception. Michael

On Fri, Jan 6, 2012 at 1:45 AM, Michael Snoyman wrote:

Actually, the application can have full control over this, by either ignoring the request body entirely (Warp will essentially stream it to /dev/null) or throwing an exception.

On this move to conduit, I'd like to see some sort of a Source of POST parameters on Yesod. AFAIK, currently the only pretty API is the one that puts the whole request into memory. What do you think about it, Michael? Something that spits out a stream of data StreamPostParam = NewParam {- info about the param -} Data ByteString Cheers, -- Felipe.