[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb: [2196] trunk
- Subject: SF.net SVN: ledger-smb: [2196] trunk
- From: ..hidden..
- Date: Tue, 08 Jul 2008 12:36:24 -0700
Revision: 2196
http://ledger-smb.svn.sourceforge.net/ledger-smb/?rev=2196&view=rev
Author: christopherm
Date: 2008-07-08 12:36:23 -0700 (Tue, 08 Jul 2008)
Log Message:
-----------
CONTENT_LENGTH is a user supplied variable. Without any checks for size, one could easily DoS the machine with very large POSTS
Modified Paths:
--------------
trunk/LedgerSMB/Form.pm
trunk/admin.pl
trunk/ledgersmb.conf.default
Modified: trunk/LedgerSMB/Form.pm
===================================================================
--- trunk/LedgerSMB/Form.pm 2008-07-07 22:49:08 UTC (rev 2195)
+++ trunk/LedgerSMB/Form.pm 2008-07-08 19:36:23 UTC (rev 2196)
@@ -89,6 +89,11 @@
my $argstr = shift;
+ if ($ENV{CONTENT_LENGTH} > $LedgerSMB::Sysconfig::max_post_size; ) {
+ print "Status: 413\n Request entity too large\n\n";
+ die "Error: Request entity too large\n";
+ }
+
read( STDIN, $_, $ENV{CONTENT_LENGTH} );
if ($argstr) {
Modified: trunk/admin.pl
===================================================================
--- trunk/admin.pl 2008-07-07 22:49:08 UTC (rev 2195)
+++ trunk/admin.pl 2008-07-08 19:36:23 UTC (rev 2196)
@@ -53,7 +53,12 @@
$| = 1;
-if ( $ENV{CONTENT_LENGTH} ) {
+if ($ENV{CONTENT_LENGTH} > $LedgerSMB::Sysconfig::max_post_size; ) {
+ print "Status: 413\n Request entity too large\n\n";
+ die "Error: Request entity too large\n";
+}
+
+if ( $ENV{CONTENT_LENGTH} > 0 ) {
read( STDIN, $_, $ENV{CONTENT_LENGTH} );
}
Modified: trunk/ledgersmb.conf.default
===================================================================
--- trunk/ledgersmb.conf.default 2008-07-07 22:49:08 UTC (rev 2195)
+++ trunk/ledgersmb.conf.default 2008-07-08 19:36:23 UTC (rev 2196)
@@ -10,6 +10,9 @@
# Maximum number of invoices that can be printed on a cheque
check_max_invoices : 5
+# Maximum POST size to prevent DoS (4MB default)
+max_form_size : 4194304
+
[environment]
# If the server can't find applications, append to the path
PATH: /usr/local/pgsql/bin
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.