Re^2: hash collision DOS (CGI.pm protection)

in reply to Re: hash collision DOS
in thread hash collision DOS

See the fine manual: you can already ->delete() parameters, so just grep unrequested parameters out of ->param() and dump them in the bit bucket.
All webservers have a relatively tight maximum size for GET requests. (I think the default is something like 4kb for Apache.) You can set $CGI::POST_MAX for POST requests.

Use those well and it shouldn't be possible to dump enough data on a script to slow it down significantly.

Makeshifts last the longest.

Comment on Re^2: hash collision DOS (CGI.pm protection)

Replies are listed 'Best First'.

Re: Re^2: hash collision DOS (CGI.pm protection)
by PodMaster (Abbot) on Jun 03, 2003 at 04:01 UTC

I do feel a nice addition would be a something like

acceptOnly( thesekeys => qw[ these keys ] );
acceptOnly( thismanykeys => 44 );
[download]

MJD says you can't just make shit up and expect the computer to know what you mean, retardo!
I run a Win32 PPM repository for perl 5.6x+5.8x. I take requests.
** The Third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

Re: Re^2: hash collision DOS (CGI.pm protection)
by Jenda (Abbot) on Jun 03, 2003 at 10:36 UTC

PodMaster is right. ->delete() comes too late. And even the $CGI::POST_MAX doesn't help much.

Imagine you have a file upload script. There you need to keep the $CGI::POST_MAX rather high so they may be able to post quite a few CGI parameters. And then even the creation of the hash that CGI.pm uses to store data may take a lot of time. And the grep and delete would only make the issue worse.

Jenda
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
-- Rick Osborne

Edit by castaway: Closed small tag in signature

[reply]
[d/l]

In Section Seekers of Perl Wisdom