[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-cvsweb
Subject:    Re: limiting the query string length
From:       "Akinori MUSHA" <knu () iDaemons ! org>
Date:       2004-06-25 14:33:41
Message-ID: 86659fzoze.knu () iDaemons ! org
[Download RAW message or body]

Hi,

At Thu, 24 Jun 2004 22:54:18 +0300,
Ville Skyttä wrote:
> On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote:
> 
> > What about limiting the query string length to prevent potential
> > exploit attacks against cvs?
> 
> Why not, it's just a couple of lines, but...
> 
> > +  length($qs) >= 1024 and fatal('500 Internal Error', 'Malformed request.');
> 
> ... I think at least the message should be improved to tell exactly what
> is wrong with the request.

In fact I thought the opposite (like "Don't give a hint to an attacker
as to what was wrong with the try"), however, a more helpful message
might not hurt in this case.

> Other points worth noting:
> - Maybe it's not only the query string (don't remember now, haven't 
>   checked), long paths may get passed to cvs(1) too, right?

Yeah, right.  It should be checked, too.

> - The request URI length can be limited on web server level as well, for
>   example for Apache (1.3.2+) see the LimitRequestLine directive.

True, but it all depends on the web server and it would be nicer if
CVSweb is made robust itself with any unconfigured (or only lightly
tuned) web server.

Regards,

-- 
                     /
                    /__  __            Akinori.org / MUSHA.org
                   / )  )  ) )  /     FreeBSD.org / Ruby-lang.org
Akinori MUSHA aka / (_ /  ( (__(  @ iDaemons.org / and.or.jp

"It seems to me as we make our own few circles 'round the sun
          We get it backwards and our seven years go by like one"

[prev in list] [next in list] [prev in thread] [next in thread]