Ben Darnell

It seems to me that the vulnerability here is not in the fact that the server accepts requests with unknown host headers, but that the app generates password reset links...

Hmm, an `allowed_hosts` setting that automatically creates an appropriate `HostMatches` is an interesting idea. It doesn't save that much code compared to using `HostMatches` directly, but is likely to avoid...

I'm not very familiar with UFW but I don't see how it could be used here. Note that the problem here relates primarily to the HTTP `Host` header and not...

Yes, that `if timeout` should be `if timeout is not None` (the same bug occurs with a float value of zero). We also have a `get_nowait()` method which is a...

Yeah, the web interface could use a lot of work, and I'd welcome patches in this area - I don't know much javascript either. Smarter zooming and positioning is definitely...

Hmm. Plop should be thread-safe; I initially developed it in a multithreaded app. statck_counts is normally a defaultdict so it should never raise KeyErrors (barring threading issues). Collector.filter() converts stack_counts...

If the signal handler fails, the exception will keep going into whatever code was running at the time of the signal, probably just getting caught and logged in the event...

How many threads do you typically have? Was the application still responsive while the profile was running?

Hmm, 15 threads shouldn't be enough to cause signal handler overrun problems, although if you're also having GIL contention it's a possibility. My next move would be to explicitly guard...

Looks like you're the first person to try this module in Tornado 6 :) This would be a two-line fix (remove the import of `stack_context` and the call to `stack_context.wrap`)....