lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Fri, Dec 30, 2011 at 18:32, Josh Simmons <> wrote:
> I was thinking more at an application level, parse n fields out of the HTTP
> request then die. But modifying lua to suit would work too I suppose. I
> don't think there's a general need for this but it might make a handy power
> patch.
> On Dec 31, 2011 12:02 PM, "Mark Hamburg" <> wrote:
>> On Dec 30, 2011, at 1:09 PM, Josh Simmons wrote:
>> Why not just limit n at the parser level? Far simpler than any
>> alternative. It's not like your application really needs to handle arbitrary
>> numbers of fields all at once.
>> You have to be careful with HTTP header fields too.
>> That does raise an interesting alternative solution. The string interning
>> logic could optionally detect when a chain of strings had exceeded some
>> limit and then fail the effort to add the string. This is probably only
>> recommended in controlled contexts where one is prepared for the error to
>> occur, but by blocking the problem at the point where we're interning the
>> strings we avoid needing to protect the hash table cases.
>> Mark

On that note, I'm curious if creating hash collisions is feasible in a
real server. Most servers will reject requests that contain too many
headers, or that are too long. How many collisions can an attacker
really create if the number and length of headers is very limited?

Sent from my toaster.