Hello World wrote:
> Denial of service is indeed a problem. Is there a way to limit the execution time of a request?
Yes, setting statement_timeout.
But if a client can exectue arbitrary statements, that could also
be statements like:
SET statement_timeout=0;
SET work_mem=1024GB;
> I'm using libpq to communicate with the server.
>
> PS. I've just taken a look, it seems I could do some asynchronous queries, time them, then cancel them
> if they take too long.
>
> http://www.postgresql.org/docs/8.4/static/libpq-cancel.html
That might be a way to avoid that people just reset statement_timeout.
Of course someone could start a deadly query and then kill the client
before it has a chance to cancel it...
Yours,
Laurenz Albe
