Re: A serious security problem with CGI.pm 3.01?

Hmm, I found this snippet of code, which can be found in the init sub in the raw CGI.pm you can download from there:

METHOD: {

      # avoid unreasonably large postings
      if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
      $self->cgi_error("413 Request entity too large");
      last METHOD;
      }
[download]

So it's not as if the POST_MAX functionality has been stripped from CGI.pm 3.01 in all versions. Maybe there's a glitch in the tarball? (which I'm assuming you used).

I'd be interested to see what happens if the module is in fact *installed* rather than (as appears to have been the case here) just taking the CGI.pm file from the tarball and placing it in the same directory as the CGI script. After all, you gotta leave something for Makefile.PL to do =)

update : here's a thought. Try :

grep 'POST_MAX' *
[download]

in the directory where you unpacked the tarball.

perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); 
+$rose = "smells sweet to degree $n"; *other_name = *rose; print "$oth
+er_name\n"'
[download]

Comment on Re: A serious security problem with CGI.pm 3.01? Select or Download Code

Replies are listed 'Best First'.
Re: Re: A serious security problem with CGI.pm 3.01? by tachyon (Chancellor) on Jul 11, 2001 at 20:00 UTC
Yes I downloaded the tarball - the CGI.pm contained within does not have this METHOD. Nor does it have the string $content_length. As noted the only place $POST_MAX appears is in the pod with a reference to the missing initialise_globals() sub. iakobski points out that Object.pm uses State.pm. In State.pm you can find the missing references to $POST_MAX. It must therfore be an installation problem. The pod has just not been updated yet to reflect the new postioning of $POST_MAX. The fact that you seem to be able to do a hand install that gives a functioning (sort of) CGI.pm is a bit worrying as some people still insist on hand installs and CGI.pm is so popular this is bound to happen. Oh well what do you expect if you don't read the instructions! I was having nightmares as I have been pestering my sysadmin to upgrade from 2.75 to 3.01 as the upload method is broken on our 2.75 (you just have to get your file handle the old way). cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]

Replies are listed 'Best First'.

Re: Re: A serious security problem with CGI.pm 3.01?
by tachyon (Chancellor) on Jul 11, 2001 at 20:00 UTC

Yes I downloaded the tarball - the CGI.pm contained within does not have this METHOD. Nor does it have the string $content_length. As noted the only place $POST_MAX appears is in the pod with a reference to the missing initialise_globals() sub.

iakobski points out that Object.pm uses State.pm. In State.pm you can find the missing references to $POST_MAX. It must therfore be an installation problem. The pod has just not been updated yet to reflect the new postioning of $POST_MAX. The fact that you seem to be able to do a hand install that gives a functioning (sort of) CGI.pm is a bit worrying as *some* people still insist on hand installs and CGI.pm is so popular this is bound to happen. Oh well what do you expect if you don't read the instructions!

I was having nightmares as I have been pestering my sysadmin to upgrade from 2.75 to 3.01 as the upload method is broken on our 2.75 (you just have to get your file handle the old way).

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]