> On Tue, 02 Dec 2003 10:43:08 -0800, [EMAIL PROTECTED] (Greg Zartman)
> wrote:
>
> >
> >I'm relatively inexperienced at using this module as I've always
> >preferred coding my own cgi functions. A question:
> >
> >If one were to use the CGI::Safe CGI subclass to turn-off uploads, does
> >this shut off uploads in general for the cgi session or is it required
> >that one use CGI form objects to take advantage of this security feature?
>
> It will only affect the script you are using it in.
> If you want to turn off uploads in general, it would be best
> to edit your CGI.pm and set $DISABLE_UPLOADS=1.
> But that will only work if you use CGI.pm, in your script, which
> is recommended anyways.
>
This is one of the things CGI::Safe does, it is really just a wrapper
around CGI.pm but it allows you to do it without having to edit the
source, or to set it in every script, which is actually pretty nice.
> Another method for disabling DOS attacks with uploads
> or other large posts is to check the $ENV{'CONTENT_LENGTH'}
> at the beginning of the script. If it's too big, send an error message.
>
This is how CGI.pm handles it....
> I've seen some problems with CGI.pm's DISABLE_UPLOAD where
> the upload is not allowed, but the actual files is uploaded but not
> saved. This can still be used for DOS.
>
This doesn't seem possible, unless the request was sent without a
content length at all in which case there isn't really a way to prevent
it, other than having the server deny the request because it isn't well
formed up front, when did the content length enter the HTTP spec? has it
been there from the start?
> The $ENV{'CONTENT_LENGTH'} is more foolproof, because it is
> available to check before any data gets transferred.
>
Assuming the request has sent it....
http://danconia.org
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
