1. Fabien Schwebel
  2. django-misery
  3. Issues
Issue #1 open

Usage of sleep()

remram44
created an issue

Django is asynchronous, meaning it does not create a thread to handle each request in a blocking fashion.

Whereas the README mentions lightweight, designed not to slow down your website a single bit, you use sleep in your middleware. This function will put the thread to sleep, delaying all the requests it is supposed to handle. Furthermore, if the traffic used by miserable users alone is sufficient, your website can go down indefinitely by putting itself to sleep.

Your middleware is an explicit DoS feature.

Comments (7)

  1. Fabien Schwebel repo owner

    Thanks for the bug report, Remraminou. I didn't quite understand the way Django handles the job queue. It is true that the current implementation blocks a worker. It may also make denial of services easier, multiplying the effects on availability of the request of a miserable user.

    I don't currently see how to implement this feature in a non-blocking way. Suggestions are welcome. For now, I switched off the feature in the default settings, and mentioned the issue in the readme. This will be need to be fixed before moving on to the beta stage.

  2. remram44 reporter

    I don't currently see how to implement this feature in a non-blocking way.

    You can't without a major rewrite of Django. This is a limitation of WSGI.

  3. Fabien Schwebel repo owner

    It seems that your are right, as usual!

    After trying to delay the response using the python threading lib, and especially the Timer object, it does not seem to be doable. If the user is slowbanned, the Python interpreter would create a thread to complete the sending of the http response, but the WSGI transaction would be over.

    The new StreamingHttpResponse feature of Django 1.5 also sounded like a solution, but the performance consideration frame has the final word: "Django is designed for short-lived requests."

  4. Log in to comment