[Date Prev][Date Next]
Re: (ITS#5114) pcache cache results for searches that hit size/timelimit
On Wednesday 29 August 2007 18:36, Pierangelo Masarati wrote:
> firstname.lastname@example.org wrote:
> >> pcache currently cache the results of search that hit server- or
> >> clientside size- or timelimits. That means that subsequent search will
> >> get the (incomplete) results from the cache. I guess pcache should only
> >> cache operations that returned LDAP_SUCCESS.
> > Makes sense...
> Well, I agree for timelimit, but sizelimit might be questionable. In
> fact, the only reason not to cache searches ending in sizelimit exceeded
> is that the size limit may depend on the client's identity. But this is
> true in general also for access to entries and to entry data, but we
> don't cache based on the identity of the client, so data cached with one
> identity (set A) might differ from data that would be returned by
> another identity for the very same search (set B), and both the relative
> complement of A in B and of B in A may be not empty. So, if we accept
> this for ACLs (no differences between the results returned for requests
> with different identities) I don't see why we should differentiate with
> respect to the size limit.
But a malicous client can then just send requests with sizelimit 1. Those
query will get cached and the database is of no real use anymore (IMO).