rhafer@suse.de wrote:

On Wednesday 29 August 2007 18:48, ando@sys-net.it wrote:

...

rhafer@suse.de wrote:

...

But a malicous client can then just send requests with sizelimit 1. Those query will get cached and the database is of no real use anymore (IMO).

Well, in this case, the proxycache should either change the sizelimit (and the timelimit) to unlimited, and deal with client-requested limits locally,

This seems like the nicest approach to solve the problem. But seems to be a bit more effort.

I'd go this way, yes.

My suggest for a quick fix for this issue would be to just not cache queries that return one off the _LIMIT_EXCEEDED error codes. Probably with checking if it was a client-requested limit or a limit of the server side (in which case we could probably cache the results).

Then please make a clear statement in the code that it's a temporary workaround, so it is easier to spot and remove, eventually.

...

or consider uncacheable those requests that specify a time or a size limit.

Well that would cause even those queries being uncachable that would not hit the requested limit. If I understand you correctly.

Right. Well, I understand if no limit was hit the request would become cacheable. In this case, the approach you suggest would be fine.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------