Return-Path: 
 <user-return-21999-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 43038904F
	for <apmail-couchdb-user-archive@www.apache.org>;
 Thu,  6 Sep 2012 17:52:01 +0000 (UTC)
Received: (qmail 71765 invoked by uid 500); 6 Sep 2012 17:51:59 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 71655 invoked by uid 500); 6 Sep 2012 17:51:59 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 71644 invoked by uid 99); 6 Sep 2012 17:51:59 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Sep 2012 17:51:59 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of wordituk@gmail.com designates
 209.85.210.180 as permitted sender)
Received: from [209.85.210.180] (HELO mail-iy0-f180.google.com)
 (209.85.210.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Sep 2012 17:51:52 +0000
Received: by iafj25 with SMTP id j25so2129616iaf.11
        for <user@couchdb.apache.org>; Thu, 06 Sep 2012 10:51:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=ZYnoJ+NHspMnDxbeuN/5TUEMqYVrO2ev0/GAY9L5khk=;
        b=KftqY39LpS3N3vx2eo+hP+ntt3a/I9gVeKoHtyv5Yqu/YqfMSXHGkyX+bTjlNhpwwp
         eJTxidEZzWVC6NVjdJeDbAmza2E7ds+xtVF5C+K51PHIDqu8kCOQzdG3umufPgLD3zwy
         zAxkKQrJVgBoJx2cZ9QWM/ZTVkdaKUq46uUFM0He/coGqaCGeUhkVofo8RpXUjNXXsfX
         /pW2ISUeAOTae3AEqXk0Bu0dmsVTvE3fn3qlpuqFt6HmBoD1RnG0+QR9Q//TN++lQAQ2
         Vjb1D9LSgn6am1j6t+zsM77M+lRQPsqgvTnaj/hbWyklVjYBvc+gU/TaqSKN0eh9VZfC
         qirg==
Received: by 10.43.43.194 with SMTP id ud2mr3468589icb.13.1346953890822; Thu,
 06 Sep 2012 10:51:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.43.93.69 with HTTP; Thu, 6 Sep 2012 10:50:50 -0700 (PDT)
In-Reply-To: <A08F2080-11E9-41B4-9EF7-635F48DFDB2C@apache.org>
References: 
 <CALOE=ztNjXYqD-OY9W4unRQAV3VhY04tRH39hG7f8ZAEUTw3zA@mail.gmail.com>
 <A08F2080-11E9-41B4-9EF7-635F48DFDB2C@apache.org>
From: Wordit <wordituk@gmail.com>
Date: Thu, 6 Sep 2012 19:50:50 +0200
Message-ID: 
 <CALOE=zvXm1h+t8c70As4sAa56BmLJK7NKF=+2gZ19UnEZ92Akg@mail.gmail.com>
Subject: Re: Limiting doc size to prevent malicious use
To: user@couchdb.apache.org
Content-Type: text/plain; charset=UTF-8

On Thu, Sep 6, 2012 at 7:35 PM, Robert Newson <rnewson@apache.org> wrote:
>
> validate_doc_update is your only other option. It won't stop the attempt, though, but at least you can reject the write itself.

Thanks, I've been wondering how to achieve this. I can test the size
of each field, but a malicious user can create a new field to dump the
data in, right?

A require function assures certain fields exist, but can you limit the
fields to specific names? That way, you know which fields to check the
string lengths of.

Thanks,

Marcus