From: xxx x. <now...@li...> - 2012-03-16 13:05:16
|
My apologies, I have determined this to be a non-issue. My (unfounded) concerns were because of an apparent typo in yaws.pdf. yaws.pdf, page 16: <<In ERLANG terminology, the call yaws_api:parse_query(Arg) returns the list: [{kalle, "duck"}, {goofy, "unknown"}]>> page 17: <<If that YAWS page has the following code: out(A) -> L = yaws_api:parse_post(A), {html, f("~p", [L])} The user will see the output [{xyz, "Hello there"}]>> As you can see, the docs show that the tuples in the lists are of the form {atom, string}, thus my concern that an attacker could force the creation of too many atoms. In truth, testing reveals that yaws returns tuples of the form {string, string}, so there is nothing to worry about as form fields are described with two strings {"name", "value"} rather than {name, "value"}. RECOMMENDATION: Make a simple change to yaws.pdf and put quotes around the atoms on those pages. Thanks. > Date: Thu, 15 Mar 2012 11:13:48 -0400 > Subject: Re: [Erlyaws-list] form field names as atoms? > From: vi...@ie... > To: now...@li... > CC: erl...@li... > > Can you provide a small test case? > > --steve > > On Thu, Mar 15, 2012 at 11:05 AM, xxx xxx <now...@li...> wrote: > > Hi, I'm new to yaws (not the disease, the web server, heh). > > > > Anyway, I've been recently building a website, and I noticed that in some > > cases - for instance in processing post requests - yaws appears to represent > > the names of the form fields as atoms. If so, I presume it must make new > > atoms if there aren't pre-existing atoms with the appropriate names. > > > > Question: Does this represent some kind of danger to crashing the server > > due to running out of memory, possibly because of a deliberate attack? > > Forgive me if I seem paranoid, but for my particular use cases users WILL > > absolutely try to hack into my systems and bring them down or compromise > > them in any way possible - it is a guarantee. > > > > Thanks. > > > > ------------------------------------------------------------------------------ > > This SF email is sponsosred by: > > Try Windows Azure free for 90 days Click Here > > http://p.sf.net/sfu/sfd2d-msazure > > _______________________________________________ > > Erlyaws-list mailing list > > Erl...@li... > > https://lists.sourceforge.net/lists/listinfo/erlyaws-list > > |