httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: [PATCH] fix LimitRequestBody for all input handlers
Date Thu, 11 Apr 2002 23:34:08 GMT
On Thu, Apr 11, 2002 at 04:27:08PM -0700, Justin Erenkrantz wrote:
> No.  The limit needs to apply to *all* bucket reads not just the
> ap_get_client_block which we shouldn't even be supporting
> (it's old cruft from 1.3).  This patch is broken as inputs
> will not be limited if you don't use ap_get_client_block()
> (say use ap_get_brigade() - you won't limit it).
> 
> I believe ap_http_input_filter is the right place.  You really
> need to make a case as to why this is wrong.  This really seems
> like CGI is broken.  -- justin

I guess I'm unclear why it is CGI's responsibility to watch for this.
Do we then need to put these kinds of checks in every http-body-using
element? (My relative newness to the filters is showing.)

Another thing I'm even less clear about is what ap_get_client_block is
for. Where the heck do normal modules grab the entire post body from
(I truly don't know)?

-aaron

Mime
View raw message