Re: Security issues for CGI file upload

What happens when the filesize exceeds $CGI::POST_MAX ? Not being snide, I have a need in an app I've built to check this and was unsure of the best way to do it and report to a user if there's an error. I'm curious to see how other monks handle it.

-Any sufficiently advanced technology is
indistinguishable from doubletalk.

Comment on Re: Security issues for CGI file upload

Replies are listed 'Best First'.
Re: Re: Security issues for CGI file upload by rob_au (Abbot) on Jan 19, 2002 at 04:52 UTC
From CGI ... `If set to a non-negative integer, this variable puts a ceiling on the size of POSTings, in bytes. If CGI.pm detects a POST that is greater than the ceiling, it will immediately exit with an error message. This value will affect both ordinary POSTs and multipart POSTs, meaning that it limits the maximum size of file uploads as well. You should set this to a reasonably high value, such as 1 megabyte.` [download] You can change this behaviour with a dispatch to your own code by altering the `init` method. eg. `METHOD: { . . # avoid unreasonably large postings if (($POST_MAX > 0) && ($content_length > $POST_MAX)) { $self->cgi_error("413 Request entity too large"); last METHOD; } . . }` [download] Personally myself, I am happy to let CGI to return the error message. Update I had an additional thought on this topic determining a way to handle an over-sized post with our own error handling code without having to mess about with CGI module code. The following is the result, taking some liberties with the CGI source: `#!/usr/bin/perl -Tw use strict; BEGIN { my $POST_MAX = 1048576; my $content_length = defined $ENV{'CONTENT_LENGTH'} ? $ENV{'CONTEN +T_LENGTH'} : 0; if ( ($POST_MAX > 0) && ($content_length > $POST_MAX) ) { # 413 request entity too large error handling } } use CGI;` [download] `perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print'`	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Security issues for CGI file upload
by rob_au (Abbot) on Jan 19, 2002 at 04:52 UTC

CGI

If set to a non-negative integer, this variable puts a
ceiling on the size of POSTings, in bytes.  If CGI.pm
detects a POST that is greater than the ceiling, it
will immediately exit with an error message.  This
value will affect both ordinary POSTs and multipart
POSTs, meaning that it limits the maximum size of file
uploads as well.  You should set this to a reasonably
high value, such as 1 megabyte.
[download]

You can change this behaviour with a dispatch to your own code by altering the init method. eg.

  METHOD: {

      .
      .

      # avoid unreasonably large postings
      if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
          $self->cgi_error("413 Request entity too large");
          last METHOD;
      }

      .
      .

  }
[download]

Personally myself, I am happy to let CGI to return the error message.

Update

I had an additional thought on this topic determining a way to handle an over-sized post with our own error handling code without having to mess about with CGI module code. The following is the result, taking some liberties with the CGI source:

#!/usr/bin/perl -Tw

use strict;

BEGIN {
    my $POST_MAX = 1048576;

    my $content_length = defined $ENV{'CONTENT_LENGTH'} ? $ENV{'CONTEN
+T_LENGTH'} : 0;
    if ( ($POST_MAX > 0) && ($content_length > $POST_MAX) ) {
        #   413 request entity too large error handling
    }
}

use CGI;
[download]

perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print'

[reply]
[d/l]
[select]