- From: Sam Idicula <sam_idicula@hotmail.com>
- Date: Mon, 02 May 2005 18:49:47 -0500
- To: ietf-http-wg@w3.org
Hi, I have a question about the auth-int option of digest authentication: Since the authentication check and the integrity check can both be done only after reading the entire request, I'm assuming that the server needs to buffer up the request body. Doesnt this open the door for an attacker to flood a server with a large request (like a PUT with a 200MB body)? Since the request is large and server needs to buffer the request, this allows the attacker to cause a lot of disk-write's on the server and consume disk space temporarily? The server can, of course, put limits on the size of the request body but this would limit even legitimate users. For example, if the server limits it to 64K, a legitimate user cannot store a file > 64K using a PUT request. Does anybody know what is the standard/recommended solution to this problem? Thanks Sam
Received on Monday, 2 May 2005 23:49:41 UTC