Max request size
trytond read the data from the request without any limitation on the size.
This can be used to make a denial of service by flooding the server with huge request.
I think it is a missing security feature than a real security issue. The missing feature could be implemented by using a server proxy like ngnix or lighttpd (which have such request size validation by default).
I keep for now, the issue type as security, I will change for feature request if we agree on its status.
Here is my proposal for the security improvement:
- add two configuration values:
- max-request-size: 12048 (2M)
- max-request-size-authenticated: 2097152 (2G)
- add to wsgi_app a check just before calling dispatch_request on the size limit depending of the authorization.
- if the configuration is set to 0, it will means no check.
Of course we should keep encouraging to use a proxy server for production deployment but at least default setup will have a protection by default.