Bill Stephenson wrote: > I've been testing the "$CGI::DISABLE_UPLOADS" and "$CGI::POST_MAX" > variables and I don't think I've got it feature working as it should. > The docs say this: > > "CGI.pm also has some simple built-in protections against denial of > service attacks, but you must activate them before you can use them. > > <snip> > > $CGI::POST_MAX > If set to a non-negative integer, this variable puts a ceiling on > the size of POSTings, in bytes. If CGI.pm detects a POST that is > greater than the ceiling, it will immediately exit with an error > message." > > It seems to me that my script will not exit until uploading the entire > POST has been completed. So, here are my questions about this: >
Right, but the script exits immediately. I *suspect* the complete request must be sent to the web server regardless of whether the script is going to fail. Exiting immediately just means that CGI will not allow execution of anything beyond its initial preparations, rather than meaning it will truncate the request. At least that would be my interpretation... But I didn't have a look at the modules source, you might want to check there for confirmation. http://danconia.org > Do I misunderstand the above? (ie. the script should upload the entire > POST before exiting with an error) > > Is there something wrong with my test script (I suspect this must be the > case, please see it below) > > Or... is there something wrong with CGI.pm? (this seems to be a longshot) > > I'd really appreciate any help you all can give me with this. > > Kindest Regards, > > -- > Bill Stephenson > > > <code> > > #!/usr/bin/perl > > # deny_upload.cgi > > use CGI; > use File::Basename; > use strict; > > $CGI::POST_MAX=1024 * 5; # max 100K posts > $CGI::DISABLE_UPLOADS = 1; # no uploads > > my $Q = new CGI; > my $message; > > # trap error with this... > if (!$Q->param('file') && $Q->cgi_error()) { > $message = $Q->cgi_error(); > &error_trap( "$message"); > } > > # or this... > # if ($Q->cgi_error()) { > # $message = $Q->cgi_error(); > # &error_trap( "$message"); > # } > > if (!$Q->param) { > print $Q->header; > print qq ~<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 > Transitional//EN" > "http://www.w3.org/TR/html4/loose.dtd";> > <html> > <head> > <title>Upload Test</title> > </head> > <body> > <form id="upload_logo_form" method="post" > action="/cgi-bin/test/deny_upload.cgi" enctype="multipart/form-data"> > <input type="file" name="file" size="30"> > <p><textarea name="text" rows="4" cols="40">put too much text in > here</textarea></p> > <input type="submit" name="upload" value="Upload Stuff"> > </form> > </body> > </html>~; > exit 0; > } > > # get on to uploading the file... > > if ($Q->param('file')) { > my $data; > my $filePath; > my $file = $Q->param('file'); > > fileparse_set_fstype("MSDOS"); > $file = basename($file); > $filePath = "/test/$file"; > > open (SAVE,">$filePath") or &error_trap($message= " Error:: $! :: > Can Not Upload $file: \n"); > while (read($Q->param('file'),$data,1024)) {print SAVE $data;} > close SAVE; > > print $Q->header; > print $Q->start_html(-title => "Uploaded it anyway"); > print "Uploaded it anyway"; > print $Q->end_html; > exit 0; > } > > if ($Q->param('test')) { > print $Q->header; > print $Q->start_html(-title => "Lotsa Text"); > print $Q->param('test'); > print $Q->end_html; > exit 0; > } > > sub error_trap { > print $Q->header; > print $Q->start_html(-title => "MyApp Error Screen"); > print "$message"; > print $Q->end_html; > exit 0; > } > > </code> > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
