On May 9, 2007, at 10:54 AM, Gabriel Barazer wrote:

> On 05/08/2007 21:41:41 +0200, Janis Volbergs <[EMAIL PROTECTED]> wrote:
>
>> Why not limit maximum size of the data to be uploaded? This should be
>> an easy patch to mod_fcgi. And about buffering, it would be more safe
>> to have temporary files. However, this might get insecure, if the
>> server has multiuser environment. E.g. other users might easily steal
>> those files. So, it seems that there simply is no ultimate solution.
>>
>
> I don't think limiting the input data size is a good workaround,  
> because
> FastCGI has to manage only the transport and communication between the
> FastCGI application server and the web server. Thus
> filtering/limiting/buffering has to be done by the FastCGI server, not
> the process manager (mod_fcgid in our case). I don't think the  
> transport
> layer has anything to do other than queuing up connections, then
> transmitting data over sockets. Hence my proposal of completely
> disabling the FastCGI buffering system, or replacing it by a REAL
> buffering system which buffers chunks of data (8192 bytes is a good
> average buffer size). CGI works like this.
>

I understand your point, but what I proposed would be a quick and  
simple patch that would resolve the security issue.

Though, your proposal would be more logic and would give more value  
added in future.

> And this is the right way to handle data : let the application server
> create temp file is his secured environment/jail/user rights, just as
> PHP or some other scripting langages do.
>


perhaps create a patch and propose for it's inclusion in the next  
release ;)

cheers,
j.



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Mod-fcgid-users mailing list
Mod-fcgid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users

Reply via email to