My apologies, I have determined this to be a non-issue.  My (unfounded) concerns were because of an apparent typo in yaws.pdf.

yaws.pdf, page 16:

<<In ERLANG terminology, the call yaws_api:parse_query(Arg) returns the list:

[{kalle, "duck"}, {goofy, "unknown"}]>>

page 17:

<<If that YAWS page has the following code:

out(A) ->
    L = yaws_api:parse_post(A),
    {html, f("~p", [L])}

The user will see the output

[{xyz, "Hello there"}]>>

As you can see, the docs show that the tuples in the lists are of the form {atom, string}, thus my concern that an attacker could force the creation of too many atoms.

In truth, testing reveals that yaws returns tuples of the form {string, string}, so there is nothing to worry about as form fields are described with two strings {"name", "value"} rather than {name, "value"}.

RECOMMENDATION:  Make a simple change to yaws.pdf and put quotes around the atoms on those pages.


> Date: Thu, 15 Mar 2012 11:13:48 -0400
> Subject: Re: [Erlyaws-list] form field names as atoms?
> From:
> To:
> CC:
> Can you provide a small test case?
> --steve
> On Thu, Mar 15, 2012 at 11:05 AM, xxx xxx <> wrote:
> > Hi, I'm new to yaws (not the disease, the web server, heh).
> >
> > Anyway, I've been recently building a website, and I noticed that in some
> > cases - for instance in processing post requests - yaws appears to represent
> > the names of the form fields as atoms.  If so, I presume it must make new
> > atoms if there aren't pre-existing atoms with the appropriate names.
> >
> > Question:  Does this represent some kind of danger to crashing the server
> > due to running out of memory, possibly because of a deliberate attack?
> > Forgive me if I seem paranoid, but for my particular use cases users WILL
> > absolutely try to hack into my systems and bring them down or compromise
> > them in any way possible - it is a guarantee.
> >
> > Thanks.
> >
> > ------------------------------------------------------------------------------
> > This SF email is sponsosred by:
> > Try Windows Azure free for 90 days Click Here
> >
> > _______________________________________________
> > Erlyaws-list mailing list
> >
> >
> >