The problem is that even after setting a max size or disabling the uploads, the file is still uploaded. On Unix the file is uploaded in the temporary partition and it can be limited, but on Windows it is fully uploaded so this perl way of denying doesn't work on all OS's.
Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Scot Robnett" <[EMAIL PROTECTED]> To: "Cool Hand Luke" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, March 31, 2003 10:57 PM Subject: RE: The very un-useful 'premature end of script headers' error message I was out of the loop on this one for awhile, but isn't that why $CGI::POST_MAX and $CGI::DISABLE_UPLOADS were created? If you need to allow multipart (or any type) of uploads, use POST_MAX and set a size limit. That way, if something is - by your determination - excessively large, your script will exit cleanly with an error message. The answer to your question is: Be afraid, be very afraid. A wiley cracker may be able to run system commands if you allow him/her to upload code. Even without knowing that much, they could simply create a script that generates a big enough upload to cause DoS (denial of service) on your server. My advice is always to err on the side of caution. Never think "that would never happen on MY site." ----- Scot Robnett inSite Internet Solutions [EMAIL PROTECTED] -----Original Message----- From: Cool Hand Luke [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 1:38 PM To: fliptop Cc: [EMAIL PROTECTED] Subject: Re: The very un-useful 'premature end of script headers' error message > just because you don't need to parse any binaries doesn't mean your users > won't try to submit one. > > don't forget anyone can create any kind of form that posts to your cgi. > so there's nothing stopping me from creating a form like this: > > <form method="post" action="http://coolhandlukesite/cgi-bin/script.cgi"; > enctype="multipart/form-data"> > <input type="file" name="hugefile"> > <input type="submit"> > </form> Good point, I hadn't thought of that. My only question is now, what will happen? Is there a security risk I should worry about? Is this really dangerous? Thanks 4 the help. Luke -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---------------------------------------------------------------------------- ---- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
