From owner-freebsd-cvsweb@FreeBSD.ORG Fri Jun 25 14:33:49 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7694516A4CE for ; Fri, 25 Jun 2004 14:33:49 +0000 (GMT) Received: from mail.musha.org (daemon.musha.org [210.189.104.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EA9143D2F for ; Fri, 25 Jun 2004 14:33:49 +0000 (GMT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id A48BFC637 for ; Fri, 25 Jun 2004 23:33:41 +0900 (JST) Date: Fri, 25 Jun 2004 23:33:41 +0900 Message-ID: <86659fzoze.knu@iDaemons.org> From: "Akinori MUSHA" To: freebsd-cvsweb@freebsd.org In-Reply-To: <1088106858.27589.1455.camel@bobcat.mine.nu> References: <86eko6gn78.knu@iDaemons.org> <1088106858.27589.1455.camel@bobcat.mine.nu> Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by EMIKO 1.14.1 - "Choanoflagellata") Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: limiting the query string length X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2004 14:33:49 -0000 Hi, At Thu, 24 Jun 2004 22:54:18 +0300, Ville Skytt=E4 wrote: > On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote: >=20 > > What about limiting the query string length to prevent potential > > exploit attacks against cvs? >=20 > Why not, it's just a couple of lines, but... >=20 > > + length($qs) >=3D 1024 and fatal('500 Internal Error', 'Malformed req= uest.'); >=20 > ... I think at least the message should be improved to tell exactly what > is wrong with the request. In fact I thought the opposite (like "Don't give a hint to an attacker as to what was wrong with the try"), however, a more helpful message might not hurt in this case. > Other points worth noting: > - Maybe it's not only the query string (don't remember now, haven't=20 > checked), long paths may get passed to cvs(1) too, right? Yeah, right. It should be checked, too. > - The request URI length can be limited on web server level as well, for > example for Apache (1.3.2+) see the LimitRequestLine directive. True, but it all depends on the web server and it would be nicer if CVSweb is made robust itself with any unconfigured (or only lightly tuned) web server. Regards, --=20 / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "It seems to me as we make our own few circles 'round the sun We get it backwards and our seven years go by like one"