From owner-freebsd-cvsweb@FreeBSD.ORG Thu Jun 24 19:54:40 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18F7116A4D4 for ; Thu, 24 Jun 2004 19:54:40 +0000 (GMT) Received: from smtp3.pp.htv.fi (smtp3.pp.htv.fi [213.243.153.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id BED2243D3F for ; Thu, 24 Jun 2004 19:54:39 +0000 (GMT) (envelope-from scop@FreeBSD.org) Received: from [62.78.130.181] (cs78130181.pp.htv.fi [62.78.130.181]) by smtp3.pp.htv.fi (Postfix) with ESMTP id D8D7F27AD45 for ; Thu, 24 Jun 2004 22:54:18 +0300 (EEST) From: Ville =?ISO-8859-1?Q?Skytt=E4?= To: freebsd-cvsweb@freebsd.org In-Reply-To: <86eko6gn78.knu@iDaemons.org> References: <86eko6gn78.knu@iDaemons.org> Content-Type: text/plain Organization: FreeBSD Message-Id: <1088106858.27589.1455.camel@bobcat.mine.nu> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Thu, 24 Jun 2004 22:54:18 +0300 Content-Transfer-Encoding: 7bit Subject: Re: limiting the query string length X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 19:54:40 -0000 On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote: > What about limiting the query string length to prevent potential > exploit attacks against cvs? Why not, it's just a couple of lines, but... > + length($qs) >= 1024 and fatal('500 Internal Error', 'Malformed request.'); ... I think at least the message should be improved to tell exactly what is wrong with the request. Other points worth noting: - Maybe it's not only the query string (don't remember now, haven't checked), long paths may get passed to cvs(1) too, right? - The request URI length can be limited on web server level as well, for example for Apache (1.3.2+) see the LimitRequestLine directive.