+1
Rocco Caputo wrote:
Dylan Hardison asked on IRC whether it was possible to limit the length of an input line using POE::Filter::Line. I admitted that it's not currently an option but could become one.
We put down some ideas about what to do with long lines. Four possibilities came up:
Ignore the excess characters on a line. Return a truncated line with no exception.
Same as #1, but with some sort of marker signaling an exception.
Discard the long line entirely. Don't return anything, and don't throw an exception.
Same as the preceding, but with an exception marker attached.
We agreed that undef made a lousy exception marker. The best idea so far is to return an array reference for long lines:
[ ERROR_CODE, TRUNCATED_LINE, ATTEMPTED_LINE_LENGTH, ]
When ref($new_input) is true, it signals that a record contains out-of-band data.
The ERROR_CODE allows for expansion. Currently it might be something like "trunc", or perhaps a bit flag exported by POE::Filter::Line.
The ATTEMPTED_LINE_LENGTH lets a program decide whether the input was malicious.
Sample usage might look like this.
sub handle_input { my ($heap, $input) = @_[HEAP, ARG0];
# Handle out of band data. if (ref $input) {
# Deal with truncated lines. Disconnect the user if this is an # obvious DOS attempt. Otherwise use the truncated input.
if ($input->[0] & LINE_TRUNCATED) { if ($input->[2] > 2048) { delete $heap->{wheel}; return; } $input = $input->[1]; } else { warn "unknown input exception $input->[0]"; }
}
# Handle $input normally. $heap->{wheel}->put("You entered: $input"); }
The behavior might be enabled with a new parameter, perhaps LineLengthLimit.
$heap->{wheel} = POE::Wheel::Run->new( ..., Filter => POE::Filter::Line->new( LineLengthLimit => 512 ), );
Thanks for your consideration.
-- Rocco Caputo
