[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SF.net SVN: ledger-smb:[2265] branches/1.2

Subject: SF.net SVN: ledger-smb:[2265] branches/1.2
From: ..hidden..
Date: Thu, 14 Aug 2008 17:31:45 +0000

Revision: 2265
          http://ledger-smb.svn.sourceforge.net/ledger-smb/?rev=2265&view=rev
Author:   christopherm
Date:     2008-08-14 17:31:44 +0000 (Thu, 14 Aug 2008)

Log Message:
-----------
CONTENT_LENGTH is a user supplied variable. Without any checks for size, one could easily DoS the machine with very large POSTS. Commiting changes made to /trunk/ in /branches/1.2/

Modified Paths:
--------------
    branches/1.2/LedgerSMB/Form.pm
    branches/1.2/admin.pl
    branches/1.2/ledgersmb.conf.default

Modified: branches/1.2/LedgerSMB/Form.pm
===================================================================
--- branches/1.2/LedgerSMB/Form.pm	2008-08-14 16:15:40 UTC (rev 2264)
+++ branches/1.2/LedgerSMB/Form.pm	2008-08-14 17:31:44 UTC (rev 2265)
@@ -52,6 +52,11 @@
 
     my $argstr = shift;
 
+    if ($ENV{CONTENT_LENGTH} > $LedgerSMB::Sysconfig::max_post_size) {
+        print "Status: 413\n Request entity too large\n\n";
+        die "Error: Request entity too large\n";
+    }
+
     read( STDIN, $_, $ENV{CONTENT_LENGTH} );
 
     if ($argstr) {

Modified: branches/1.2/admin.pl
===================================================================
--- branches/1.2/admin.pl	2008-08-14 16:15:40 UTC (rev 2264)
+++ branches/1.2/admin.pl	2008-08-14 17:31:44 UTC (rev 2265)
@@ -53,7 +53,12 @@
 
 $| = 1;
 
-if ( $ENV{CONTENT_LENGTH} ) {
+if ( $ENV{CONTENT_LENGTH} > $LedgerSMB::Sysconfig::max_post_size ) {
+    print "Status: 413\n Request entity too large\n\n";
+    die "Error: Request entity too large\n";
+}
+
+if ( $ENV{CONTENT_LENGTH} > 0 ) {
     read( STDIN, $_, $ENV{CONTENT_LENGTH} );
 }
 

Modified: branches/1.2/ledgersmb.conf.default
===================================================================
--- branches/1.2/ledgersmb.conf.default	2008-08-14 16:15:40 UTC (rev 2264)
+++ branches/1.2/ledgersmb.conf.default	2008-08-14 17:31:44 UTC (rev 2265)
@@ -10,6 +10,9 @@
 # Maximum number of invoices that can be printed on a cheque
 check_max_invoices : 5
 
+# Maximum POST size to prevent DoS (4MB default)
+max_post_size : 4194304
+
 [environment]
 # If the server can't find applications, append to the path
 PATH: /usr/local/pgsql/bin


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

Prev by Date: SF.net SVN: ledger-smb:[2264] trunk/LedgerSMB/AA.pm
Next by Date: SF.net SVN: ledger-smb:[2266] trunk/INSTALL
Previous by thread: SF.net SVN: ledger-smb:[2264] trunk/LedgerSMB/AA.pm
Next by thread: SF.net SVN: ledger-smb:[2266] trunk/INSTALL
Index(es):
- Date
- Thread