Ya know, CGI.pm isn't the only components involved in this transaction. There is this thing called a webserver, and it has all kinds of setting of its own. You might wanna look into those. Also, 4096 seems like a good limit for a GET request (i've seen it on a couple of servers).

updated: and those tests you're running, they probably won't do any good, since nobody is mentioning which server they're running, or which version of CGI.pm, you guys aren't on the same server ;D, and CGI.pm is pretty dang sturdy.

updated: I also sugguest the alienhuman goes and reads the RFC for HTTP, and then cracks open CGI.pm. In (crazyinsomniac) Re: A serious security problem with CGI.pm 3.01? I do that the post max limiting myself.

 
___crazyinsomniac_______________________________________
Disclaimer: Don't blame. It came from inside the void
perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"