Limit post size to help against DoS attacks #446

Closed
alessioalex opened this Issue Dec 29, 2011 · 4 comments

Comments

Projects
None yet
3 participants
@alessioalex

This won't solve the problem completely, but it would help.

Read more about this problem here:

http://www.ocert.org/advisories/ocert-2011-003.html
http://www.youtube.com/watch?v=R2Cq3CLI6H8

The Socket.IO guys already made a commit for this a month ago:

socketio/socket.io@a7f45fe

I think we should be able to specify a max post size and the bodyParser should kill what exceeds that. The implementation should probably be done in the file: https://github.com/senchalabs/connect/blob/master/lib/middleware/json.js

@tj

This comment has been minimized.

Show comment
Hide comment
@tj

tj Dec 29, 2011

Member

we have limit() for this, which works for any request body. Even without this specific issue you could exhaust resources reasonably easily without some form of limiting

Member

tj commented Dec 29, 2011

we have limit() for this, which works for any request body. Even without this specific issue you could exhaust resources reasonably easily without some form of limiting

@tj tj closed this Dec 29, 2011

@alessioalex

This comment has been minimized.

Show comment
Hide comment
@alessioalex

alessioalex Dec 29, 2011

Can you please elaborate? I couldn't find any limit() function in the source code, and in node-formidable I only saw incomingForm.maxFieldsSize. Thanks

Can you please elaborate? I couldn't find any limit() function in the source code, and in node-formidable I only saw incomingForm.maxFieldsSize. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment