Comments inline...
On Tue, Mar 29, 2011 at 5:00 PM, Eric Evans <eev...@rackspace.com> wrote:
My suggestion as a means of heavily mitigating the damage of these
attacks would be to only permit a single query at a time (i.e. remove
the ';' token).
This is effectively the case. The parser is run exactly once for each
request and is only capable of parsing exactly one statement (no less,
no more). Terminating a query with ';' is allowed, but has no effect on
this.
Batches allow multiple semicolon-delimited statements.
I think we'd need to have a separate cql_batch rpc method that took a
list of statements to solve this. (I.e., begin/apply batch and the
semicolons would be strictly interactive markers that would be used to
break it up into the statements to send in that list.)
So effectively cql_batch accepts a list something like:
List<Statement> batchStatments;
cql_batch(batchStatments);
where each Statement in the list is limited to exactly one... select or
whatever ?
Making it one call to the server but then each statement is processed
separately...
