1
<?xml version="1.0"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><title>Twisted Documentation: Security</title><link href="howto/stylesheet.css" type="text/css" rel="stylesheet" /></head><body bgcolor="white"><h1 class="title">Security</h1><div class="toc"><ol><li><a href="#auto0">Bad input</a></li><li><a href="#auto1">Resource Exhaustion and DoS</a></li></ol></div><div class="content"><span></span><p>We need to do a full audit of Twisted, module by module.
3
This document list the sort of things you want to look for
4
when doing this, or when writing your own code.</p><h2>Bad input<a name="auto0"></a></h2><p>Any place we receive untrusted data, we need to be careful.
5
In some cases we are not careful enough. For example, in HTTP
6
there are many places where strings need to be converted to
7
ints, so we use <code class="python">int()</code>. The problem
8
is that this well accept negative numbers as well, whereas
9
the protocol should only be accepting positive numbers.</p><h2>Resource Exhaustion and DoS<a name="auto1"></a></h2><p>Make sure we never allow users to create arbitarily large
10
strings or files. Some of the protocols still have issues
11
like this. Place a limit which allows reasonable use but
12
will cut off huge requests, and allow changing of this limit.
13
</p><p>Another operation to look out for are exceptions. They can fill
14
up logs and take a lot of CPU time to render in web pages.</p></div><p><a href="howto/index.html">Index</a></p><span class="version">Version: 2.5.0</span></body></html>
b'\\ No newline at end of file'