in reply to Re: Security issues for CGI file upload
in thread Security issues for CGI file upload

From CGI ...

If set to a non-negative integer, this variable puts a
ceiling on the size of POSTings, in bytes.  If CGI.pm
detects a POST that is greater than the ceiling, it
will immediately exit with an error message.  This
value will affect both ordinary POSTs and multipart
POSTs, meaning that it limits the maximum size of file
uploads as well.  You should set this to a reasonably
high value, such as 1 megabyte.

[download]

You can change this behaviour with a dispatch to your own code by altering the init method. eg.

  METHOD: {

      .
      .

      # avoid unreasonably large postings
      if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
          $self->cgi_error("413 Request entity too large");
          last METHOD;
      }

      .
      .

  }

[download]

Personally myself, I am happy to let CGI to return the error message.

 

Update

 

I had an additional thought on this topic determining a way to handle an over-sized post with our own error handling code without having to mess about with CGI module code. The following is the result, taking some liberties with the CGI source:

#!/usr/bin/perl -Tw

use strict;

BEGIN {
    my $POST_MAX = 1048576;

    my $content_length = defined $ENV{'CONTENT_LENGTH'} ? $ENV{'CONTEN
+T_LENGTH'} : 0;
    if ( ($POST_MAX > 0) && ($content_length > $POST_MAX) ) {
        #   413 request entity too large error handling
    }
}

use CGI;

[download]
perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print'

In Section Seekers of Perl Wisdom