[Catalog-sig] PyPI reverse download
Jacob Kaplan-Moss
jacob at jacobian.org
Tue Jul 27 22:34:31 CEST 2010
On Tue, Jul 27, 2010 at 1:25 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> I'll be implementing a feature for PyPI where you can POST
> to a certain action (revdownload), and then PyPI will POST
> the file requested to an URL that was passed; this is need
> to make blobs work on AppEngine.
>
> Any objections?
Seems like this is rife for abuse -- it's essentially an open relay
for POST requests, so I could use it to amplify a DDOS attack. So
probably sounds like there needs to be some sort of security, or
whitelist of allowed URL (or prefixes?), or somesuch.
Jacob
More information about the Catalog-SIG
mailing list