On Tue, 2011-03-29 at 17:22 -0500, Jonathan Ellis wrote: > >> My suggestion as a means of heavily mitigating the damage of these > >> attacks would be to only permit a single query at a time (i.e. > >> remove the ';' token). > > > > This is effectively the case. The parser is run exactly once for > > each request and is only capable of parsing exactly one statement > > (no less, no more). Terminating a query with ';' is allowed, but > > has no effect on this. > > Batches allow multiple semicolon-delimited statements.
Actually, they require it (since you won't find an EOF terminating any of the individual statements), but that is a bug. > I think we'd need to have a separate cql_batch rpc method that took a > list of statements to solve this. (I.e., begin/apply batch and the > semicolons would be strictly interactive markers that would be used to > break it up into the statements to send in that list.) The intended behavior was to allow but not require them (the same for statements appearing inside the batch or out), and that's easy enough to fix. The semicolon doesn't have any effect on the parser result, it's just tolerant of them because people are going to use them, and it's one more condition that we can deal with instead of pushing it on clients. -- Eric Evans eev...@rackspace.com
