qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Stitcher <astitc...@redhat.com>
Subject Re: Apache CI Python against CPP (Qpid-Python-Cpp-Test) tests failing for the last few days
Date Fri, 25 May 2012 16:08:29 GMT
On Fri, 2012-05-25 at 16:39 +0100, Gordon Sim wrote:
> ...

> FWIW I really don't like that code.

Neither do I, possibly for different reasons.

> 
> It doesn't actually protect from badly behaved client code anyway, only 
> from one specific case. Provided you send a valid AMQP header you can 
> still use up all the connections without doing anything further and 
> without authenticating.

Fair point. It doesn't protect you from all badly behaved code, but it
is a step wise improvement from the previous state.

> 
> Rather than having a maximum time to negotiate the protocol version what 
> is really needed is a maximum time to authenticate.

I agree.

I'll see if there is an obviously equally safe place to detect we've
authenticated.

Of course this still won't protect you from a massive DDoS.

Andrew



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message