help-cgicc
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [help-cgicc] worrying potential DoS issue

From: Igor
Subject: Re[2]: [help-cgicc] worrying potential DoS issue
Date: Wed, 21 Jun 2006 15:28:55 +0400 
Hello Steven,

Wednesday, June 21, 2006, 3:38:51 AM, you wrote:

SK> Hello Igor,

SK> See below for comments. Russell and I are colleagues in case you are 
SK> wondering.

RK>> Content-Length: 2000000000

SK> In fact, the HTTP server cannot have any knowledge of the REAL content 
length for HTTP POST messages before 
SK> setting the environment variables (which includes CONTENT_LENGTH) for CGI 
to parse because the message body
SK> is not buffered by HTTP servers (well Apache anyway :)).

    Right.

SK> Therefore, the content length sent by the client has to be used as the 
environment variable
SK> used by CGI, this has been verified experimentally with Apache 2.

    I will add - if your HTTP server is misconfigured.

SK> With a few requests, you can bog a system down very quickly.

    Yes, so much for cgicc library and, by the way, for Perl CGI library and for
    many others. The impact depends on the environment and implementation.
    Most CGI libraries though do have kind of MAX_POST_LENGTH variable
    defined in their bodies....
    
SK> Please correct me if I'm wrong because this issue is VERY important.

    You just didn't setup your Apache correctly. You have to
    define LimitRequestBody in Apache config or you will get in
    big troubles with almost any CGI library. (Take a look at how they
    are implemented, they rely on server configuration by default
    unless a system administrator or a programmer did configure them otherwise
    which happens really not often).

Igor>>  I'm not sure about this behavior but cookies are the part of HTTP
Igor>>    header. Therefore the header should be received first, processed
Igor>>    by HTTP server, and only then cgicc can handle it. I
Igor>>    doubt it is possible to avoid this pattern on cgicc level.

SK> True, cookies are part of the headers and they are set as environment 
variables for the 
SK> CGI program to use, see the specification - http://hoohoo.ncsa.uiuc.edu/cgi/
SK> So you could get all of the environment variables before loading the 
message body for HTTP POST and 
SK> parsing it for data. There are two sources of data for CGI to use, the 
environment variables and
SK> standard input (std::cin) so we should be able to seperate these two 
sources.

SK> We are still hoping to submit a patch.

   httpd.conf:
    LimitRequestBody %BYTES%

SK> I'm sory about the rant, but it could cause a lot of pain if we ignore this 
issue.


-- 
Best regards,
 Igor                            mailto:address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]