There's more than one way to do things | |
PerlMonks |
A serious security problem with CGI.pm 3.01?by tachyon (Chancellor) |
on Jul 11, 2001 at 18:45 UTC ( [id://95702]=perlquestion: print w/replies, xml ) | Need Help?? |
tachyon has asked for the wisdom of the Perl Monks concerning the following question: Thathom started a discussion on the chatterbox about why CGI.pm seemed to be allowing any size file to upload. Sure you say, he didn't set $POST_MAX. Well he did actually. The problem is that in his version of CGI.pm the initialise_globals() sub seems to be missing. All references to $POST_MAX outside the pod are missing. OK so it's been edited. The problem is that he downloaded it from Lincoln Stein's website! I just downloaded a copy of 3.01 - in the CGI.pm file there is no reference to $POST_MAX anywhere outside the pod (at least according to my editor's find function). The initialise_globals() sub present in 2.74 (which I have on this box) is absent in 3.01. This would appear to be a significant security problem as it opens this version up to denial of service attacks. Has this been moved to an external library for some reason? I have looked in the new 'object.pm' module that CGI.pm now uses and it is not there. Am I mistaken or is this a real problem? Is it only a problem if a proper install is not made (I think that a cut and paste method was used :-( Here is the link to Lincoln site http://stein.cshl.org/WWW/software/CGI/cgi_docs.html#download where you can get a copy of CGI.pm 3.01 cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
Back to
Seekers of Perl Wisdom
|
|