Date: Fri, 25 Jun 2004 23:33:41 +0900 From: "Akinori MUSHA" <knu@iDaemons.org> To: freebsd-cvsweb@freebsd.org Subject: Re: limiting the query string length Message-ID: <86659fzoze.knu@iDaemons.org> In-Reply-To: <1088106858.27589.1455.camel@bobcat.mine.nu> References: <86eko6gn78.knu@iDaemons.org> <1088106858.27589.1455.camel@bobcat.mine.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
At Thu, 24 Jun 2004 22:54:18 +0300,
Ville Skytt=E4 wrote:
> On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote:
>=20
> > What about limiting the query string length to prevent potential
> > exploit attacks against cvs?
>=20
> Why not, it's just a couple of lines, but...
>=20
> > + length($qs) >=3D 1024 and fatal('500 Internal Error', 'Malformed req=
uest.');
>=20
> ... I think at least the message should be improved to tell exactly what
> is wrong with the request.
In fact I thought the opposite (like "Don't give a hint to an attacker
as to what was wrong with the try"), however, a more helpful message
might not hurt in this case.
> Other points worth noting:
> - Maybe it's not only the query string (don't remember now, haven't=20
> checked), long paths may get passed to cvs(1) too, right?
Yeah, right. It should be checked, too.
> - The request URI length can be limited on web server level as well, for
> example for Apache (1.3.2+) see the LimitRequestLine directive.
True, but it all depends on the web server and it would be nicer if
CVSweb is made robust itself with any unconfigured (or only lightly
tuned) web server.
Regards,
--=20
/
/__ __ Akinori.org / MUSHA.org
/ ) ) ) ) / FreeBSD.org / Ruby-lang.org
Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp
"It seems to me as we make our own few circles 'round the sun
We get it backwards and our seven years go by like one"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86659fzoze.knu>