in reply to Re^3: The most powerful CMS developed in Perl (not spam, sounds that way) (without functions)
in thread The most powerful CMS developed in Perl (not spam, sounds that way)

Not sure what data loss bug you are referring to? Overloading with data will not cause a DOS attack, the web is far too slow for that, and there are no other security issues that will cause a DOS failure that I'm aware off. And not 'Maybe' it's faster - it is faster. ;) Please refer to specific lines of code as your comments are at best spurious. I don't mean to sound offensive, but I am unable to relate to the specific issues you are pointing out. Regards, Andrew
  • Comment on Re^4: The most powerful CMS developed in Perl (not spam, sounds that way) (without functions)

Replies are listed 'Best First'.
Re^5: The most powerful CMS developed in Perl (not spam, sounds that way) (without functions)
by chromatic (Archbishop) on Mar 01, 2013 at 17:10 UTC
    there are no other security issues ... that I'm aware off.

    That you are aware of.

    Please refer to specific lines of code as your comments are at best spurious.

    I'm not here to do your homework for you.

    Don't guess as to how you think the web works. Read the relevant RFCs. Read working and tested code if you're determined to do it your own way. Do it right or do it wrong—I don't care—but if you're going to claim that you're doing something better than everyone else, at least do the world the credit of trying to get it right.

[reply]
Re^5: The most powerful CMS developed in Perl (not spam, sounds that way) (without functions)
by Anonymous Monk on Mar 14, 2013 at 05:49 UTC
    Hi, Reading the relevant documentation on CGI.pm shows the two so called 'DOS attacks' you refer to are disabled by default and left to the web server, as does my own 'cooked CGI'. This is not a bug or security issue. There are no other security bugs and the system is fully protected and tested against SQL injection. Should you have any further advice can you please point out with at least one line of relevant code. If not, I'd appreciate it if you can drop the negativity. I'm here to get it right and will solve any issues that are identified. Any statements are justified. If you install the system and get it up and running you will see the hugely powerful security and the differentiation that it can do. I sympathasise that installation is not as straight forward as others and documentation is lacking, but again this is powerful software for web developers not web users. Yours, Andrew
[reply]

      What web server are you using that magically corrects incorrect Content-Length headers for you without reading the input stream?

      You didn't address the data loss or the incorrect parameter separator bugs either, and I just noticed you ignore the encoding of input. Why?

[reply]
[d/l]
        Re: input length, ref: http://perldoc.perl.org/CGI.html#Avoiding-Denial-of-Service-Attacks, which states such functionality is not enabled by default, the web-server can limit resources for CGI scripts.

        Which data loss 'bug' are you referring to? This code has been running for years now with no data loss?

        Parameter separator bug, I presume you are talking about the lack of '=' also setting the value to 1. This is a feature to cut the URI string down.

        The URI input is parsed using a standard method and is UTF8 compatible; $v =~ s/%(0-9A-Fa-f{2})/chr(hex($1))/eg;

[reply]

In Section Cool Uses for Perl