Re: $CGI::DISABLE_UPLOADS

[Bill Stephenson]

On Oct 18, 2005, at 10:08 AM, Wiggins d'Anconia wrote:
Right, but the script exits immediately. I *suspect* the complete
request must be sent to the web server regardless of whether the script
is going to fail. Exiting immediately just means that CGI will not 
allow
execution of anything beyond its initial preparations, rather than
meaning it will truncate the request.

At least that would be my interpretation... But I didn't have a look at
the modules source, you might want to check there for confirmation.

Ok, Here's the source that handles this... It's looks to me like we 
just let the POST keep going until it's finished for no good reason...

 METHOD: {

      # avoid unreasonably large postings
      if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
        # quietly read and discard the post
          my $buffer;
          my $max = $content_length;
          while ($max > 0 &&
                 (my $bytes = $MOD_PERL
                  ? $self->r->read($buffer,$max < 10000 ? $max : 10000)
                  : read(STDIN,$buffer,$max < 10000 ? $max : 10000)
                 )) {
            $self->cgi_error("413 Request entity too large");
            last METHOD;
          }
        }

and...

      UPLOADS: {
          # If we get here, then we are dealing with a potentially large
          # uploaded form.  Save the data to a temporary file, then open
          # the file for reading.

          # skip the file if uploads disabled
          if ($DISABLE_UPLOADS) {
              while (defined($data = $buffer->read)) { }
              last UPLOADS;
          }


I certainly don't mean to pretend that I understand everything Lincoln 
considered when creating the above code, but why not just do something 
like this?

 METHOD: {
      # avoid unreasonably large postings
      if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
                 $self->cgi_error("413 Request entity too large");
                last METHOD;
        }

and...

      UPLOADS: {
          if ($DISABLE_UPLOADS) {
              $self->cgi_error("413 Request entity too large");
                last UPLOADS;
          }

Isn't the objective here to stop the POST as soon as possible? For 
example, if my user inadvertently selects a 3 gig movie he's got on his 
disk drive to upload with a dial-up connection, why wait until it has 
been completely posted before notifying him that he can't do that?

And doesn't this still use up a lot of server resources and provide a 
means of allowing a DOS attack?

Kindest Regards,

--
Bill Stephenson


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>