From: Galen Charlton Date: Mon, 27 Mar 2023 15:51:37 +0000 (-0400) Subject: remove release notes entries made moot by security point releases X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=5919d176c9b2ad39a879c7f4c6669d9da868c0e4;p=evergreen%2Fmasslnc.git remove release notes entries made moot by security point releases Signed-off-by: Galen Charlton --- diff --git a/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc b/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc deleted file mode 100644 index 929c36a3aa..0000000000 --- a/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc +++ /dev/null @@ -1,10 +0,0 @@ -== DoS Protection == - -Here we add two ways to protect against denial of service attacks: - * Limit concurrent search requests per client IP address - ** This helps address issues of accidental spamming from a malfunctioning OPAC workstation, or web crawlers of various types. The limit is controlled by a global flag called *opac.max_concurrent_search.ip*. By default there is no limit set. - * Limit the global concurrent search requests for the same query - ** This helps address both simple and distributed DoS that send the same search request over and over. The limit is controlled by a global flag called *opac.max_concurrent_search.query*, and defaults to 20. - -When a limit is exceeded the client receives an HTTP 429 "Too many requests" response from the web server, and the connection is ended. - diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc deleted file mode 100644 index a4931b5bd1..0000000000 --- a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc +++ /dev/null @@ -1,11 +0,0 @@ -== Protect qtype CGI parameter == - -Malicious DoS attempts have been witnessed in the wild making use of -the fact that Evergreen does not check the contents of the qtype CGI -parameter. While these fail their intent, it would be better to -simply drop such searches on the floor when they're seen. - -Evergreen will now confirm that the search class in the qtype parameter -is valid, and that the remainder of the value is structured correctly, -before processing the search request. -