Comment 36 for bug 1361360

So just to confirm... we have a potential for a denial of service condition here. The proposed patch mitigates it for authenticated sessions, but does nothing to solve the more general issue which also can be triggered without authentication and for which we can't reasonably backport a solution.

This sounds more like something we need to document and hope it can be solved more completely in the future.