[Moscow.pm] [nodejs] Re: HOLY CRAP. nearly all nodejs http servers are vulnerable to DoS and apparently, the V8 guys seem to not care much

Denis Evdokimov evdokimov.denis на gmail.com
Пт Дек 30 14:39:01 PST 2011


А что тут странного? Они пишут движок для скриптов внутри браузера, зачем
им решать проблемы чужого проекта?
31.12.2011 1:58 пользователь "Alexandr Gomoliako" <zzz на zzz.org.ua> написал:

> > On Dec 28, 4:47 pm, Jann Horn <jannh... на googlemail.com> wrote:
>
> >> Basically, because v8 uses weak hashes for objects, you can fill up
> >> one slot of the hashtable with many entries, e.g. using a POST
> >> containing a querystring with many keys with the same hash. Operating
> >> on those keys (inserting and reading) then becomes slow as hell which
> >> allows you to bring a nodejs server to 100% CPU usage for a long time
> >> (blocking the event loop completely) with one moderately large POST
> >> request. This is bad.
>
> >> Those guys say they told Google October 18th, they got through to the
> >> v8 guys in November, and they said they don't care sooo much about DoS
> >> attacks on v8 because they're mainly interested in browserside stuff.
>
> Гугл не захотел фиксить хэши в v8, им все равно, как он в ноде
> работает. Очередная причина избегать джаваскрипт за пределами
> браузера :)
> --
> Moscow.pm mailing list
> moscow-pm на pm.org | http://moscow.pm.org
>
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://mail.pm.org/pipermail/moscow-pm/attachments/20111231/6729433a/attachment.html>


Подробная информация о списке рассылки Moscow-pm