On Tue, Mar 29, 2011 at 5:00 PM, Eric Evans <eev...@rackspace.com> wrote: >> My suggestion as a means of heavily mitigating the damage of these >> attacks would be to only permit a single query at a time (i.e. remove >> the ';' token). > > This is effectively the case. The parser is run exactly once for each > request and is only capable of parsing exactly one statement (no less, > no more). Terminating a query with ';' is allowed, but has no effect on > this.
Batches allow multiple semicolon-delimited statements. I think we'd need to have a separate cql_batch rpc method that took a list of statements to solve this. (I.e., begin/apply batch and the semicolons would be strictly interactive markers that would be used to break it up into the statements to send in that list.) -- Jonathan Ellis Project Chair, Apache Cassandra co-founder of DataStax, the source for professional Cassandra support http://www.datastax.com