in reply to Vetting a CGI script
In particular, Limbic~Region mentions the possibility of potential modification of the $CGI::DISABLE_UPLOADS and $CGI::POST_MAX values.
For me, this possibility places a greater burden on the receiving script. A)Nothing dangerous (like a malevolent cgi script) should be uploaded to a place where it could be invoked from the web and B)Massive return values from the form fields should probably be simply discarded rather than attempting to process/forward/store them.
In the current case, as best I can tell, uploads are not an issue. I assume someone could construct and post a response containing a dangerous or large upload. But without intervention by the receiving script, I presume it would simply languish in a tmp directory. A large, ininvited upload might slow the server down a bit or threaten the harddisk capacity, but there are other places (e.g. httpd.conf) to deal with that.
On the other hand, over-large form data needs to be anticipated and handled appropriately within the receiving script.
------------------------------------------------------------
"Perl is a mess
and that's good because the
problem space is also a mess." - Larry Wall
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re: Vetting a CGI script
by jdtoronto (Prior) on Nov 12, 2003 at 20:45 UTC | |
by merlyn (Sage) on Nov 12, 2003 at 22:49 UTC | |
by hmerrill (Friar) on Nov 13, 2003 at 14:48 UTC | |
by jdtoronto (Prior) on Nov 13, 2003 at 15:51 UTC | |
by hmerrill (Friar) on Nov 14, 2003 at 14:47 UTC | |
by iburrell (Chaplain) on Nov 13, 2003 at 19:47 UTC |