Re: cgi and stdin

fixed by doing this

if($ENV{'REQUEST_METHOD'} eq 'POST'){
    my $val;
    read(STDIN, $val, $ENV{'CONTENT_LENGTH'});
    print $val;
}
[download]

Comment on Re: cgi and stdin Download Code

Replies are listed 'Best First'.
Re: Re: cgi and stdin by iburrell (Chaplain) on Oct 24, 2003 at 21:20 UTC
The fixed length read is exactly what CGI.pm and SOAP::Lite use. You should do more validation to be safe. First, check the Content-Type. It is fine to post the XML directly to the script, but the client should set a Content-Type of text/xml. This will keep you from interpreting normal form posts as XML. Second, check that content length is set and check for a maximum content length. If you don't, an attacker can post 20 GB to your script and it will happily try to read it all into memory.	[reply]
Re: Re: cgi and stdin by mcogan1966 (Monk) on Oct 24, 2003 at 18:02 UTC
Yes, this is correct. In fact, all my CGI code now does a check to see if it's called by 'GET' or 'POST' method, and pulls appropriately.	[reply]
Re: Re: Re: cgi and stdin by tilly (Archbishop) on Oct 25, 2003 at 05:59 UTC
Hand-rolled logic? Then without looking I am willing to bet that your code is broken. See Use CGI or die; for some of the standard pitfalls.	[reply]