Comment 18 for bug 1036985

gpernot reports:

Bug 110 - algorithmic complexity denial of service

randomized hashmaps to prevent DOS attacks

hashmap are not randomized, so that it is possible to forge fake headers that
will always go into the same bucket.
try 'curl http://78.230.4.96/hashes.asis' via tinyproxy and without it to
convince you (~8 MB of headers). I'll remove this url as soon as bug is
accepted...

attached patch should solve this. it's certainly perfectible, though
(autoconf for time() and rand() are missing...).

even with this patch, it takes ages. maybe headers should be sanitized before
hiting the buckets...

Created attachment 60 [details]
limit number of headers to prevent DoS attacks

External references:
https://banu.com/bugzilla/show_bug.cgi?id=110#c2
https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985