[dev] [commits] Horde branch master updated. caa4af675a2be98a597c237189022da45b97c3d5
Michael M Slusarz
slusarz at horde.org
Mon Jun 10 19:30:57 UTC 2013
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Jan Schneider <jan at horde.org>:
>>
>>> Zitat von Michael M Slusarz <slusarz at horde.org>:
>>>
>>>> The branch "master" has been updated.
>>>> The following is a summary of the commits.
>>>>
>>>> from: 21f4a6dc23769d29d60a43cb1d6487025b32fa4a
>>>>
>>>> a9ee0b4 [mms] Mailbox imports are now limited to 500 messages by default.
>>>
>>> Please move this to 6.2.
>>
>> Why? This is a security/DoS fix.
>
> How is that a security fix? And a DOS could easily be appoached with
> setting a maximum execution time in the PHP configuration.
I can bring down my server when importing a file with, say, 10,000
messages. Maximum execution time will NOT do anything for this - at
least it doesn't in my testing. Regardless, that's not the correct
way of fixing this either: a user could just keep opening windows and
trying to import the file.
> A change that requires UPGRADING notices for changes in backends.php
> is very strong signal that this is more than just a bug fix.
As mentioned above, I brought my server down from this action. I have
a 30 second maximum execution time. Doesn't matter - server became
unresponsive until I restarted my FastCGI process.
If you are concerned about the UPGRADING documentation - I will take
it out and make it a hardcoded limit. That's the only other solution.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list