From 5919d176c9b2ad39a879c7f4c6669d9da868c0e4 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Mon, 27 Mar 2023 11:51:37 -0400 Subject: [PATCH] remove release notes entries made moot by security point releases Signed-off-by: Galen Charlton --- docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc | 10 ---------- docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc | 11 ----------- 2 files changed, 21 deletions(-) delete mode 100644 docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc delete mode 100644 docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc diff --git a/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc b/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc deleted file mode 100644 index 929c36a3aa..0000000000 --- a/docs/RELEASE_NOTES_NEXT/Architecture/DoS-protection.adoc +++ /dev/null @@ -1,10 +0,0 @@ -== DoS Protection == - -Here we add two ways to protect against denial of service attacks: - * Limit concurrent search requests per client IP address - ** This helps address issues of accidental spamming from a malfunctioning OPAC workstation, or web crawlers of various types. The limit is controlled by a global flag called *opac.max_concurrent_search.ip*. By default there is no limit set. - * Limit the global concurrent search requests for the same query - ** This helps address both simple and distributed DoS that send the same search request over and over. The limit is controlled by a global flag called *opac.max_concurrent_search.query*, and defaults to 20. - -When a limit is exceeded the client receives an HTTP 429 "Too many requests" response from the web server, and the connection is ended. - diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc deleted file mode 100644 index a4931b5bd1..0000000000 --- a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc +++ /dev/null @@ -1,11 +0,0 @@ -== Protect qtype CGI parameter == - -Malicious DoS attempts have been witnessed in the wild making use of -the fact that Evergreen does not check the contents of the qtype CGI -parameter. While these fail their intent, it would be better to -simply drop such searches on the floor when they're seen. - -Evergreen will now confirm that the search class in the qtype parameter -is valid, and that the remainder of the value is structured correctly, -before processing the search request. - -- 2.11.0