Author terry.reedy
Recipients Arfrever, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, georg.brandl, gvanrossum, haypo, jcea, lemburg, merwok, pitrou, terry.reedy
Date 2012-01-04.17:41:20
SpamBayes Score 9.4355e-08
Marked as misclassified No
Message-id <1325698881.85.0.77647586716.issue13703@psf.upfronthosting.co.za>
In-reply-to
Content
To expand on Marc-Andre's point 1: the DOS attack on web servers is possible because servers are generally dumb at the first stage. Upon receiving a post request, all key=value pairs are mindlessly packaged into a hash table that is then passed on to a page handler that typically ignores the invalid keys.

However, most pages do not need any key,value pairs and forms that do have a pre-defined set of expected and recognized keys. If there were a possibly empty set of keys associated with each page, and the set were checked against posted keys, then a DOS post with thousands of effectively random keys could quickly (in O(1) time) be rejected as erroneous.

In Python, the same effect could be accomplished by associating a class with slots with each page and having the server create an instance of the class. Attempts to create an undefined attribute would then raise an exception. Either way, checking input data for face validity before processing it in a time-consuming way is one possible solution for nearly all web pages and at least some other applications.
History
Date User Action Args
2012-01-04 17:41:21terry.reedysetrecipients: + terry.reedy, lemburg, gvanrossum, barry, georg.brandl, jcea, pitrou, haypo, christian.heimes, benjamin.peterson, merwok, Arfrever, alex, dmalcolm, Mark.Shannon, Zhiping.Deng, PaulMcMillan
2012-01-04 17:41:21terry.reedysetmessageid: <1325698881.85.0.77647586716.issue13703@psf.upfronthosting.co.za>
2012-01-04 17:41:21terry.reedylinkissue13703 messages
2012-01-04 17:41:20terry.reedycreate