The intent behind the limitation seems sound, but the implementation has (to my mind) a slight flaw.
A legitimate client which needs the information could presumably implement its own traversal to descend the tree. But this only works if the json servlet is always allowed to return at least a depth of 1. The current implementation limits the depth to 0 if the node in question has more than the limit number of children. I was discussing this with Alex, who pointed out that the intent was to be defensive. However, if we really want to limit the *number of children* a node can have, then we ought to do that elsewhere. Given that a node *does* have a certain number of children, the json servlet needs to at least support the enumeration of said children. So I'd like to propose that we amend the DOS-protection-algorithm to stop at 1, rather than 0. Thoughts? Thanks, Jeff. (PS: apologies if this gets sent out twice, but I think ezmlm ate the first posting because I hadn't yet cofirmed my subscription so I'm re-sending.) Jeff Young | Principal Scientist | Adobe Distinguished Inventor Adobe Systems Software Ireland Ltd. Registered Office: 4-6 Riverwalk, Citywest Business Campus, Saggart, Dublin 24, Ireland Company No. 344992 P Please consider your environmental responsibility before printing this e-mail.
