Absolutely agree. That's the reason why I want to introduce some
additional transport options, like ACCEPTABLE_CONTENT_TYPE (if you
want to accept ONLY text/xml or multipart/related) and
MAX_CONTENT_SIZE that should take care about it and request will be
rejected. As for DOS attack it could be introduced even with small
request which has complex XML structure. Anyway, these options should
make server side more robust.
Best wishes, Paul.
> Hi Paul,
> That's right, but the current version of SOAP::Lite should never
> expect large requests. The server will give no response and fill
> the complete memory on the machine. Since it expect SOAP messages
> with attachements it should be able to handle large amount of data.
> However, it works fine with simple requests. But general for
> handling SOAP messages with attachments (the 7 MB attachment was
> example, i had also problems to handle smaller attachments) should
> use stream mechanism. If not you should not read it into memory but
> reject the request. Maybe i'm wrong but it is a weak point and DOS
> attacks may use it.
> --- In soaplite@y..., Paul Kulchenko <paulclinger@y...> wrote:
> > Hi, Sebastian!
> > That's true, but at the same time it's easy to imagine situation
> > you send something not directly, but thru the several different
> > intermediaries and each of them will need to handle this huge
> > request. If this piece is encoded as external reference then
> > could be smart enough to get it only if it's required (yet I
> > know about such smart handlers :)). Ideas, ideas...
> > Ideally implementation should be flexible enough to handle both
> > maybe man others) approaches, maybe with manual hints.
> > Best wishes, Paul.
> ------------------------ Yahoo! Groups Sponsor
> To unsubscribe from this group, send an email to:
> Your use of Yahoo! Groups is subject to
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.