Date: Thu, 24 Jun 2004 22:54:18 +0300 From: Ville =?ISO-8859-1?Q?Skytt=E4?= <scop@FreeBSD.org> To: freebsd-cvsweb@freebsd.org Subject: Re: limiting the query string length Message-ID: <1088106858.27589.1455.camel@bobcat.mine.nu> In-Reply-To: <86eko6gn78.knu@iDaemons.org> References: <86eko6gn78.knu@iDaemons.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote: > What about limiting the query string length to prevent potential > exploit attacks against cvs? Why not, it's just a couple of lines, but... > + length($qs) >= 1024 and fatal('500 Internal Error', 'Malformed request.'); ... I think at least the message should be improved to tell exactly what is wrong with the request. Other points worth noting: - Maybe it's not only the query string (don't remember now, haven't checked), long paths may get passed to cvs(1) too, right? - The request URI length can be limited on web server level as well, for example for Apache (1.3.2+) see the LimitRequestLine directive.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1088106858.27589.1455.camel>