Hi, I am inclined to agree, that the first level of child nodes to return should count into the overall limitation counter but should not be limited by that counter.
Thus the first level of child nodes is always returned (if only as "pointers" or entries) while starting with the second level, the limit is enforced. Patch welcome, I might say ;-) Regards Felix Am 01.12.2011 um 22:26 schrieb Jeff Young: > The intent behind the limitation seems sound, but the implementation has (to > my mind) a slight flaw. > > A legitimate client which needs the information could presumably implement > its own traversal to descend the tree. But this only works if the json > servlet is always allowed to return at least a depth of 1. The current > implementation limits the depth to 0 if the node in question has more than > the limit number of children. > > I was discussing this with Alex, who pointed out that the intent was to be > defensive. However, if we really want to limit the *number of children* a > node can have, then we ought to do that elsewhere. Given that a node *does* > have a certain number of children, the json servlet needs to at least support > the enumeration of said children. > > So I'd like to propose that we amend the DOS-protection-algorithm to stop at > 1, rather than 0. > > Thoughts? > > Thanks, > Jeff. > > (PS: apologies if this gets sent out twice, but I think ezmlm ate the first > posting because I hadn't yet cofirmed my subscription so I'm re-sending.) > > > > Jeff Young | Principal Scientist | Adobe Distinguished Inventor > Adobe Systems Software Ireland Ltd. > Registered Office: 4-6 Riverwalk, Citywest Business Campus, > Saggart, Dublin 24, Ireland Company No. 344992 > P Please consider your environmental responsibility before printing this > e-mail. > >
