Critical Denial of Service bugs in Discover
Tom Zander
tom at flowee.org
Sun Feb 6 20:01:30 GMT 2022
On zaterdag 5 februari 2022 22:16:28 CET Ben Cooksley wrote:
> This indicates that the bug lies solely within Plasma's
> Discover component - more precisely it's updater.
For those responsible with that component, here some ideas on how
this can be fixed from a seasoned software dev.
* software that gets a permanent redirect (301)
should update its download location for future refreshes.
it is not nice that a single client has to be told a permanently
moved resource is permanently moved multiple times a day :-)
* software that uses services like the example showed should have
a local cache of the data stored in the XML, with a date/time of
the XML it came from.
Downloading a new one should first happen with a HTTP HEAD request
which simply fetches the date and avoids a full request when it
is not newer than the last time it was downloaded. (basic HTTP
netizen behavior).
So, my point is that the lack of such "being nice to your server"
features should be considered top priority.
In this case I would not at all blame sysadmin for simply serving
404s until this is fixed.
Thanks sysadmin for being awesome!
More information about the Plasma-devel
mailing list