help-cgicc
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [help-cgicc] worrying potential DoS issue

From: Igor
Subject: Re: [help-cgicc] worrying potential DoS issue
Date: Thu, 15 Jun 2006 17:27:45 +0400 
Hello Russell,

Thursday, June 15, 2006, 10:20:05 AM, you wrote:

RK> Would it be possible to make several requests with a false content
RK> length? Say:

RK> Content-Length: 2000000000
RK> I think this would soon lead to denial of service for legitimate users
RK> of the cgi script as memory would be exhausted (and swapping would 
RK> probably slow the system down). I'm not sure if I've thought this 
RK> through properly, so please correct me if I haven't.

    You're wrong, considering that cgicc is responsible for
    HTTP packets handling. Naturally it is the job of HTTP server. It
    is HTTP server that sets up content length variable and it won't
    be set unless HTTP server receives a valid packet. In other words if
    the packet has an incomplete header and there is no bug in the
    server itself, the packet will be rejected and your CGI application
    won't even know about the packet's existence.

RK> I've also run into another problem with session validation using 
RK> cookies. Unfortunately, during a file upload, this session validation 
RK> cannot be performed as the CgiEnvironment object can't be instantiated 
RK> before the upload is complete. This is a problem because I'm wanting to 
RK> check the cookie before continuing to accept the file upload.

    I'm not sure about this behavior but cookies are the part of HTTP
    header. Therefore the header should be received first, processed
    by HTTP server, and only then cgicc can handle it. I
    doubt it is possible to avoid this pattern on cgicc level.

RK> To me it would make more sense to retrieve the data from the client in 
RK> the Cgicc object so that the CgiEnvironment object can be used (for 
RK> example, to retrieve cookies) before all of the data has been retrieved.

RK> Apart from these issues, I've been very happy with the library. It's one 
RK> of the few C++ libraries that actually makes use of the language features.

    I wish cgicc would have provided an interface for
    changing_existing | adding_new values of FormData entries.

-- 
www.rol.ru
Best regards,
 Igor                            mailto:address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]