Return-Path: 
 <user-return-22001-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 15B9EDD3B
	for <apmail-couchdb-user-archive@www.apache.org>;
 Thu,  6 Sep 2012 19:28:20 +0000 (UTC)
Received: (qmail 92104 invoked by uid 500); 6 Sep 2012 19:28:18 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 92075 invoked by uid 500); 6 Sep 2012 19:28:18 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 92066 invoked by uid 99); 6 Sep 2012 19:28:18 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Sep 2012 19:28:18 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [209.85.216.45] (HELO mail-qa0-f45.google.com) (209.85.216.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Sep 2012 19:28:12 +0000
Received: by qadc10 with SMTP id c10so5993870qad.11
        for <user@couchdb.apache.org>; Thu, 06 Sep 2012 12:27:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-originating-ip:in-reply-to:references:date
         :message-id:subject:from:to:content-type:x-gm-message-state;
        bh=rzJPNR5NPeeSjxyk6CxffKEhjTIWwVzQMlRaa9DA8Lo=;
        b=EgmypDh3CVN0/Ret65FCrq9AAItNL+Y5hsJimguqRq7mawcER2LXTxuHrKCTlEyICC
         209gZllPZMfHnuYNiF36uXfSFvyoCPzHjD3AeqgP2LPyF/lgLwCo1+B9Zi86yleHV/H0
         /DkLB+oiKrnYbBjIpXuRdVM1tMrlwOkWnlDKY9ywgduUR4QsVD+prC7hIFJGuDtixxjM
         zCHQxwdj8f6uQplrMoG2P2375UIJXbA4xs14uuKrkpD3EvCHbLprHdtniYiRyfSkohf6
         e1x4wKEMldGVAtBzdeBkrTnYDCCL6D1jYPlIxgtFIpDWcWKPKiaTpxPpqLevXX2xaV8n
         VWfg==
MIME-Version: 1.0
Received: by 10.224.211.3 with SMTP id gm3mr5356966qab.39.1346959670327; Thu,
 06 Sep 2012 12:27:50 -0700 (PDT)
Received: by 10.49.86.74 with HTTP; Thu, 6 Sep 2012 12:27:50 -0700 (PDT)
X-Originating-IP: [84.112.19.176]
In-Reply-To: <2C95F28B-EF18-449D-BB57-4C9E243C9F68@apache.org>
References: 
 <CALOE=ztNjXYqD-OY9W4unRQAV3VhY04tRH39hG7f8ZAEUTw3zA@mail.gmail.com>
	<A08F2080-11E9-41B4-9EF7-635F48DFDB2C@apache.org>
	<CALOE=zvXm1h+t8c70As4sAa56BmLJK7NKF=+2gZ19UnEZ92Akg@mail.gmail.com>
	<2C95F28B-EF18-449D-BB57-4C9E243C9F68@apache.org>
Date: Thu, 6 Sep 2012 21:27:50 +0200
Message-ID: 
 <CAL+Y1ntSqhYbqLfY-so9Ee7b-c03voEQb5dgxTmSrYaEBPP4uw@mail.gmail.com>
Subject: Re: Limiting doc size to prevent malicious use
From: Dave Cottlehuber <dch@jsonified.com>
To: user@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: 
 ALoCoQlpuPSkZBokjtLPkWyBpWxCQcpZgs2MspvGwH6BZ88WhKnW3nqd6MnbXfUBxW/20we5O7Fo
X-Virus-Checked: Checked by ClamAV on apache.org

On 6 September 2012 20:50, Robert Newson <rnewson@apache.org> wrote:
> function(doc) {
>   if (JSON.stringify(doc).length > limit) {
>     throw({forbidden : "doc too big"
>   }
> }
>
> With the caveat that this is inefficient and horrible.
>
> B.

And from a network-based (D)DOS, the damage is already done because it
was sent & parsed muahahaha. But at least you'll not be storing that
in the DB.

Has anybody using nginx or apache to enforce a hard limit? e.g.
http://wiki.nginx.org/HttpCoreModule#client_max_body_size

A+
Dave