create: DoS in not authenticated mode?

[ThomasWaldmann]

There's some pointer to a DoS added by this PR:

97089fe

But it is unclear about how such an attack (on borg create) could work. Thus, this comment mainly leaves people confused.

Also, due to that, it is also not clear whether this still applies.

[ThomasWaldmann]

Not adding "security" label here, because it is a) documented and b) everybody not using an authenticated mode is obviously not much interested in security anyway.

[elho]

It most likely refers to this comment.

[ThomasWaldmann]

@elho ah, yes, thanks for digging that.

What I'm asking myself now is whether this is notable enough and if so, whether we maybe should add an explaining sentence there, so that people do not wonder.

If not, we could also remove that note there.

[fantasya-pbem]

„This mode has possible denial-of-service issues when running borg create on contents controlled by an attacker.“

We could add a warning like
„...by an attacker - do not use it if untrusted clients use the repository.“,
and maybe link to the HashIndex internals.

[ThomasWaldmann]

What kind of person would want to read that?

Someone who is interested in security, but who wants to use the least secure repo type nevertheless?