From 6a25b6bdfac5d55f86be5cc64ec951a0cd2851a8 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Sat, 18 Feb 2017 07:15:53 +0100 Subject: [PATCH] update docs about limited msgpack Unpacker for RPC code --- docs/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index f84b321cb..5688744ec 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -248,8 +248,8 @@ denial of repository service. The situation were a server can create a general DoS on the client should be avoided, but might be possible by e.g. forcing the client to allocate large amounts of memory to decode large messages (or messages -that merely indicate a large amount of data follows). See issue -:issue:`2139` for details. +that merely indicate a large amount of data follows). The RPC protocol +code uses a limited msgpack Unpacker to prohibit this. We believe that other kinds of attacks, especially critical vulnerabilities like remote code execution are inhibited by the design of the protocol: