Security question re POST data

Thu, 11 Apr 2002 12:53:03 -0700 

Please take into account that I'm new at this...

Rather than using CGI.pm, I'm using the following library sub-routine
which was passed to me by a friend (I think from one of the O'Reilly
books). What I'm wondering is if Perl 5 has any built in functionality
to prevent buffer overruns or excessive memory consumption resulting
from POST data. Is there a default maximum for buffer size and for
bytes recieved via POST? If so, what are these maximums?

And, coming from a total newbee, does CGI.pm deal with this better? If
so, how?

################################################################
# For immediate backwards compatibility with old cgi-lib.pl apps
# I've named the sub ReadParse and the hash $in
################################################################
sub ReadParse {

local($name, $value, $pair, $buffer, @pairs);

if ($ENV{'REQUEST_METHOD'} eq 'GET') {
        @pairs = split(/&/, $ENV{'QUERY_STRING'});
} elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
################################################################
# This part of the script seem to be taking the buffer size
# directly from the POSTed data itself. I think this could be a
# potential problem. What do you think?
################################################################
        read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});          #
        @pairs = split(/&/, $buffer);                          #
################################################################
} else {
        $Error_Message = "Bad request method ($ENV{'REQUEST_METHOD'}).  Use POST or 
GET";
        return(0);
}
foreach $pair (@pairs) {
        ($name, $value) = split(/=/, $pair);
        $name =~ tr/+/ /;
        $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $name =~ s/\n//g;
        $value =~ tr/+/ /;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $value =~ s/\n//g;
        $value =~ s/<!--(.|\n)*-->//g; # disallow SSI
        $in{$name} = $value;
}
return;
}
################################################################

===================
 Shaun Fryer
===================
 London Webmasters
 http://LWEB.NET
 PH:  519-858-9660
 FX:  519-858-9024
===================



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to