Dolphm: I think you are spot on. Obviously both of these patches are important... but I do feel like the immediate exploit might be better handled by this patch which takes a more fined grained approach.
Both this patch and what I did in https://review.openstack.org/#/c/19567/ prevent the issue however. I did 19567 as a catch all to prevent other things we might not know about... not necessarily to supplant the checks here.
-----
I'll look into making MAX_PARAM_SIZE a config variable. I suppose I based this roughly on the max size of the SQL backend (which to me seemed like a reasonable default).
ayoung: I do think the MAX_TOKEN_SIZE is going to need to be larged than MAX_PARAM_SIZE so it warrants either an extra config or global.
Dolphm: I think you are spot on. Obviously both of these patches are important... but I do feel like the immediate exploit might be better handled by this patch which takes a more fined grained approach.
Both this patch and what I did in https:/ /review. openstack. org/#/c/ 19567/ prevent the issue however. I did 19567 as a catch all to prevent other things we might not know about... not necessarily to supplant the checks here.
-----
I'll look into making MAX_PARAM_SIZE a config variable. I suppose I based this roughly on the max size of the SQL backend (which to me seemed like a reasonable default).
ayoung: I do think the MAX_TOKEN_SIZE is going to need to be larged than MAX_PARAM_SIZE so it warrants either an extra config or global.