Improved/corrected documentation for the DOS protection options #1180
Conversation
|
The failing "Windows py3.7" test is: We know that some |
There was a problem hiding this comment.
The updated documentation LGTM, thanks.
Dieter Maurer wrote:
@mauritsvanrees #1177 might indicate that
Ploneneeds a higherform-memory-limitdefault (currently 1MB). What is your experience?
In my experience, only sites with plone.restapi installed (this includes all sites using the default Volto frontend) are affected. In such a site, if you try to upload a file or image larger than 1MB, you get an error:
zExceptions.BadRequest: data exceeds memory limit
See also plone/Products.CMFPlone#3848.
On a few sites I have increased the form-memory-limit to 10MB, which at least seems fair for images. I wondered about doing a patch in Products.CMFPlone to update this limit, but then we would have to be careful to not override a manual setting in zope.conf. I would be happy with a higher limit in Zope.
In a pure Plone ClassicUI site without plone.restapi installed, with the default settings I can upload a 22MB file without problem. There the uploaded file is read in a way that does not trigger the limits.
With plone.restapi the error already happens when calling extractCredentials on the PAS plugin that comes with the package. The json_body function that is used there should probably be changed along the lines of your suggestions in #1177 (comment). This function is used all over the place though, so this could have unwanted side effects.
I think I will create a PR for plone.restapi that catches the BadRequest error in the PAS plugin. That fixes the basic error for ClassicUI at least.
d-maurer
changed the title
form-memory-limit default
@mauritsvanrees I suggest to rework the |
The result was never used, and it may fail when the request is too large to read. This is a problem since at least Zope 5.8.4, introduced in Plone 6.0.7. See plone/Products.CMFPlone#3848 and zopefoundation/Zope#1180. This PR is an alternative to #1726. See discussion there.
Thanks! |
|
I am happy with this. @d-maurer Can you merge? @dataflake @icemac A Zope release with this would be good. Would that be possible today or tomorrow? I am trying to release Plone 6.0.8 and want to have the increased limit in there, either with a new Zope version or with a temporary patch in CMFPlone. |
|
@mauritsvanrees I don't mind doing releases but I would really appreciate more warning than "today or tomorrow". I am sure releasing Plone 6.0.8 didn't occur to you just today, right? |
|
Maurits van Rees wrote at 2023-10-31 04:02 -0700:
On a few sites I have increased the form-memory-limit to 10MB, which at least seems fair for images. I wondered about doing a patch in `Products.CMFPlone` to update this limit, but then we would have to be careful to not override a manual setting in `zope.conf`. I would be happy with a higher limit in Zope.
@mauritsvanrees
The parameter protects against potential denial of service attacks
by overloading a system's RAM resources.
I meanwhile learned that `plone.restapi` wants to load
complete file contents into RAM (a design fault in my view).
Should you want to keep this (hopefully only temporarily),
you could override `ZPublisher.HTTPRequest.VALUE_LIMIT`
(currently `Global("FORM_MEMORY_LIMIT")`) by `None`.
This would allow arbitrary large request bodies accessed
via `request["BODY"])`.
|
|
@dataflake Sorry for not communicating earlier. The problem with the low memory limit was already known (to Plone people) since shortly after the Plone 6.0.7 release from 21 September. Since then some fixes were done to counter this (in Meanwhile there actually is already a Plone 6.0.8 release candidate since last Thursday. I wanted to do the final release two days ago. But finally I decided we should not ship with this low default limit, so I postponed the release (also for one other, totally unrelated problem). |
|
Maurits van Rees wrote at 2023-11-2 03:44 -0700:
I am happy with this. @d-maurer Can you merge?
I would like to still wait a bit.
The current state will still not make all Plone admins happy as
only uploads up to 8 MB will be possible without reconfiguration.
The current state of `plone.restapi` requires that
access to `request["BODY"]` does not have a size protection
(or a very large one (in the order of GB)).
We could remove this size protection in `Zope` or
you could do this in `Products.CMFPlone`.
Or we could add an additional parameter (e.g. `REQUEST_BODY_MEMORY_LIMIT`)
with a quite large default.
We should find consensus about those options before the PR gets
merged.
|
|
As a quick fix, I think I will open a PR in |
Maybe, overriding |
|
I removed the default change for |
d-maurer
changed the title
form-memory-limit default…es and images. This seems a better way, then increasing the limit to 16MB. See zopefoundation/Zope#1180 (comment)
Okay, let's go with that after all. Thanks. |
|
@d-maurer OK, I suggest merging now @mauritsvanrees Do you still need a Zope 5.8.7 release? |
|
@dataflake No need for a Zope release, the FWIW, I tried the Zope master branch and its versions earlier this week, and all Plone tests passed. |
…1729) * Allow uploads up to 16 MB. This fixes a regression due to a low Zope form memory limit of 1MB used since Plone 6.0.7. You can use ``dos_protection`` settings in ``etc/zope.conf`` to change the limit. See plone/Products.CMFPlone#3848 and zopefoundation/Zope#1142. * Changed patch: temporarily disable form memory limit checking for files and images. This seems a better way, then increasing the limit to 16MB. See zopefoundation/Zope#1180 (comment)
Branch: refs/heads/main Date: 2023-11-04T07:13:09+01:00 Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> Commit: plone/plone.restapi@9f399ac Temporarily disable form memory limit checking for files and images. (#1729) * Allow uploads up to 16 MB. This fixes a regression due to a low Zope form memory limit of 1MB used since Plone 6.0.7. You can use ``dos_protection`` settings in ``etc/zope.conf`` to change the limit. See plone/Products.CMFPlone#3848 and zopefoundation/Zope#1142. * Changed patch: temporarily disable form memory limit checking for files and images. This seems a better way, then increasing the limit to 16MB. See zopefoundation/Zope#1180 (comment) Files changed: A news/3848.bugfix A src/plone/restapi/patches.py M src/plone/restapi/__init__.py M src/plone/restapi/deserializer/__init__.py
Branch: refs/heads/main Date: 2023-11-04T07:13:09+01:00 Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> Commit: plone/plone.restapi@9f399ac Temporarily disable form memory limit checking for files and images. (#1729) * Allow uploads up to 16 MB. This fixes a regression due to a low Zope form memory limit of 1MB used since Plone 6.0.7. You can use ``dos_protection`` settings in ``etc/zope.conf`` to change the limit. See plone/Products.CMFPlone#3848 and zopefoundation/Zope#1142. * Changed patch: temporarily disable form memory limit checking for files and images. This seems a better way, then increasing the limit to 16MB. See zopefoundation/Zope#1180 (comment) Files changed: A news/3848.bugfix A src/plone/restapi/patches.py M src/plone/restapi/__init__.py M src/plone/restapi/deserializer/__init__.py
#1177 has shown that Zope's DOS protection options documentation is partially wrong and difficult to understand.
This PR significantly extends the documentation by a description of the process influenced by the options and a precise specification of their imposed limits.
@mauritsvanrees #1177 might indicate that
Ploneneeds a higherform-memory-limitdefault (currently 1MB). What is your experience?