On 2023/01/20 19:57:59 +0100, Stefan Sperling <stsp@stsp.name> wrote:
> Someone did a silly thing against our public git mirror:
> 
> Jan 20 19:20:23 florabel gotd[74429]: received flush-pkt from uid 1002
> Jan 20 19:20:43 florabel last message repeated 251236 times
> Jan 20 19:20:43 florabel gotd[70339]: list-refs request from uid 1002
> Jan 20 19:20:43 florabel gotd[74429]: received flush-pkt from uid 1002
> Jan 20 19:21:14 florabel last message repeated 386788 times
> Jan 20 19:21:43 florabel last message repeated 367291 times
> 
> There can of course be various variations of something like this in the
> git protocol, so the patch below is not fool proof. But it is relatively
> easy to catch the above case and we have to start somehwere.
> If you are the person who triggered this, please let me know if you
> are willing to help with developing countermeasures for such things,
> It would be fun and be more productive use of your time. We should have
> tests for such cases in our test suite to start with.
> 
> As far as I understand the Git protocol docs there are only three places
> where we expect a flush packet from the client:
> 
>  - After sending our ref announcement we can receive a flush packet
>    if the client decides it does not want anything.
>  - The list of want lines during fetch is terminated by a flush packet.
>  - The list of ref-updates lines during send is terminated by a flush packet.

that's my understanding as well

> The test suite is happy and trivial manual fetch/send testing suggests
> both fetch and send still works with both got and git clients.
> 
> ok?

ok op

can't test right now but the idea seems sound to me and the diff reads
fine.

(might be able to write a test case for this sometime tomorrow if
nobody beats me to it :-)