cgi and stdin

bear0053 has asked for the wisdom of the Perl Monks concerning the following question:

what i am tring to do is have one CGI script read in some xml that was posted to it. It works fine for the GET but not the post. Below is the code that sends and reads (located in separate files)

The Sending code:

my $xml = "<test>post did it go threw</test>";
my $SendObject = Win32::OLE->new('microsoft.XMLhttp');
$SendObject->open("POST", "http://www.xys.com/cgi-bin/post_test.cgi", 
+"false");
$SendObject->setRequestHeader("Content-type", "text/xml");
$SendObject->send($xml);
my $response = $SendObject->responseText;
print "<br><br>POST RESPONSE: $response";
[download]

The receiving code:

if($ENV{'REQUEST_METHOD'} eq 'POST'){
    my $val = <STDIN>;
    print $val;
}
[download]

it doesn't like how i am trying to access STDIN The error i get is: CGI Timeout The specified CGI application exceeded the allowed time for processing. The server has deleted the process.

All help is greatly appreciated...as usual thank you all -Bob "Im just a squirrel trying to get a nut"

Comment on cgi and stdin Select or Download Code

Replies are listed 'Best First'.
Re: cgi and stdin by bear0053 (Hermit) on Oct 24, 2003 at 17:43 UTC
fixed by doing this `if($ENV{'REQUEST_METHOD'} eq 'POST'){ my $val; read(STDIN, $val, $ENV{'CONTENT_LENGTH'}); print $val; }` [download]	[reply] [d/l]
Re: Re: cgi and stdin by iburrell (Chaplain) on Oct 24, 2003 at 21:20 UTC
The fixed length read is exactly what CGI.pm and SOAP::Lite use. You should do more validation to be safe. First, check the Content-Type. It is fine to post the XML directly to the script, but the client should set a Content-Type of text/xml. This will keep you from interpreting normal form posts as XML. Second, check that content length is set and check for a maximum content length. If you don't, an attacker can post 20 GB to your script and it will happily try to read it all into memory.	[reply]
Re: Re: cgi and stdin by mcogan1966 (Monk) on Oct 24, 2003 at 18:02 UTC
Yes, this is correct. In fact, all my CGI code now does a check to see if it's called by 'GET' or 'POST' method, and pulls appropriately.	[reply]
Re: Re: Re: cgi and stdin by tilly (Archbishop) on Oct 25, 2003 at 05:59 UTC
Hand-rolled logic? Then without looking I am willing to bet that your code is broken. See Use CGI or die; for some of the standard pitfalls.	[reply]
Re: cgi and stdin by hardburn (Abbot) on Oct 24, 2003 at 17:23 UTC
I bet your receving code is sitting there waiting for more data to come. Instead of grabbing the data yourself, why not use CGI.pm and change the data you send into `xml=<test>post did it go threw</test>`? Then your receiving code becomes: `use CGI qw(:standard); print param('xml');` [download] ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `:(){ :\|:&};:` Note: All code is untested, unless otherwise stated	[reply] [d/l] [select]
Re: Re: cgi and stdin by bear0053 (Hermit) on Oct 24, 2003 at 17:30 UTC
thanks, but it has to be sent as XML the way I showed the sending code. I cannot use CGI.pm to help me grab it	[reply]