From owner-freebsd-cvsweb@FreeBSD.ORG  Wed Jun 23 18:10:27 2004
Return-Path: <owner-freebsd-cvsweb@FreeBSD.ORG>
Delivered-To: freebsd-cvsweb@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 93B0216A4D2
	for <freebsd-cvsweb@freebsd.org>;
	Wed, 23 Jun 2004 18:10:27 +0000 (GMT)
Received: from mail.musha.org (daemon.musha.org [210.189.104.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2D23043D2F
	for <freebsd-cvsweb@freebsd.org>;
	Wed, 23 Jun 2004 18:10:27 +0000 (GMT)
	(envelope-from knu@iDaemons.org)
Received: from archon.local.idaemons.org (archon.local.idaemons.org
	[192.168.1.32])	by mail.musha.org (Postfix) with ESMTP id F208CC637
	for <freebsd-cvsweb@freebsd.org>;
	Thu, 24 Jun 2004 03:10:19 +0900 (JST)
Date: Thu, 24 Jun 2004 03:10:19 +0900
Message-ID: <86eko6gn78.knu@iDaemons.org>
From: "Akinori MUSHA" <knu@iDaemons.org>
To: freebsd-cvsweb@freebsd.org
Organization: Associated I. Daemons
X-PGP-Public-Key: finger knu@FreeBSD.org
X-PGP-Fingerprint: 081D 099C 1705 861D 4B70  B04A 920B EFC7 9FD9 E1EE
MIME-Version: 1.0 (generated by EMIKO 1.14.1 - "Choanoflagellata")
Content-Type: text/plain; charset=US-ASCII
Subject: limiting the query string length
X-BeenThere: freebsd-cvsweb@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS Web maintenance mailing list <freebsd-cvsweb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb>,
	<mailto:freebsd-cvsweb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-cvsweb>
List-Post: <mailto:freebsd-cvsweb@freebsd.org>
List-Help: <mailto:freebsd-cvsweb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb>,
	<mailto:freebsd-cvsweb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2004 18:10:27 -0000

Hi,

What about limiting the query string length to prevent potential
exploit attacks against cvs?

Index: cvsweb.cgi
===================================================================
RCS file: /mirror/freebsd/ncvs/root/projects/projects/cvsweb/cvsweb.cgi,v
retrieving revision 1.259
diff -u -r1.259 cvsweb.cgi
--- cvsweb.cgi	8 May 2004 14:13:40 -0000	1.259
+++ cvsweb.cgi	23 Jun 2004 17:28:15 -0000
@@ -384,7 +384,9 @@
 
 my %query = ();
 if (defined($ENV{QUERY_STRING})) {
-  for my $p (split(/[;&]+/, $ENV{QUERY_STRING})) {
+  my $qs = $ENV{QUERY_STRING};
+  length($qs) >= 1024 and fatal('500 Internal Error', 'Malformed request.');
+  for my $p (split(/[;&]+/, $qs)) {
     next unless $p;
     $p =~ y/+/ /;
     my ($key, $val) = split(/=/, $p, 2);


Regards,

-- 
                     /
                    /__  __            Akinori.org / MUSHA.org
                   / )  )  ) )  /     FreeBSD.org / Ruby-lang.org
Akinori MUSHA aka / (_ /  ( (__(  @ iDaemons.org / and.or.jp

"It seems to me as we make our own few circles 'round the sun
          We get it backwards and our seven years go by like one"