On 8/28/2010 9:50 AM, dave b wrote: > On 28 August 2010 23:21, dave b <db.pub.m...@gmail.com> wrote: >> On 28 August 2010 23:09, dave b <db.pub.m...@gmail.com> wrote: [...] >>> The documentation and code in django suggests that this is not the >>> case. So lets assume we are not using apache but another httpd of some >>> sort - then this problem will be present. >>> http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4 seems to >>> say otherwise from my reading. >> >> Just to clarify this - I meant that the http content length header >> item is *not* required - as per >> http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4 (also see >> 4.4.2), so I do not believe that apache would do what you said :) - >> there is a default limit in a apache of around 2gb for the attackers >> file to reach though. >> > > Woop I hit send a bit early, I meant to also include: > So now the attack can now just not specify the content length and um... > >>>> None < 2621440 > True > > > We pass the check ;) as far as I know. Look if I really have missed > something do tell me :) > Would you mind trimming your replies to exclude the irrelevant stuff from earlier in the thread. That way, I might actually read them ... ;-)
regards Steve -- DjangoCon US 2010 September 7-9 http://djangocon.us/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
