From: Claes W. <kl...@ta...> - 2010-03-02 08:37:37
|
Daniel Fahlke wrote: > *search trough the logs of the last days* > > First this Bugfix. > It was in the News (Sat Dec 11 2004 Version 1.50 released) > > "Form post parameter was still always managed as atoms. This is a > backwards incompatible change. It broke the wiki aswell as the upload > example in the Yaws docs.However, the change is sound since it was easy > to DOS a yaws server by sending file upload posts with new atoms. > Eventually the atom table would overflow. However it does break code !!! Ok, looong ago. That fix didn't have anything todo whatsoever with the size of the uploaded file. The problem was that the POST parse code did list_to_atom/1 while parsing. This meant that a malicious user could POST a long series of wacko POST requests where each POST request potentially created a set of new e.g. random atoms - that way filling up the erl atom table which is of fixed size - thus eventually making erl die. /klacke |