httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will" <william.leon...@lxcenter.org>
Subject Re: httpd and cgi
Date Sun, 25 Nov 2012 14:41:42 GMT
I don't know how it can decide to allow the upload at all.  That is actually 
more easily built into the webserver itself, I think.

-Will

----- Original Message ----- 
From: "Graham Leggett" <minfrin@sharp.fm>
To: <dev@httpd.apache.org>
Sent: Saturday, November 24, 2012 8:28 PM
Subject: Re: httpd and cgi


On 25 Nov 2012, at 3:17 AM, "Will" <william.leonard@lxcenter.org> wrote:

> The idea would be that the webserver would handle that file and send it to 
> cgi and delete it.

The web server would only handle the file when the upload of the file was 
complete. All the attacker needs to do is make sure lots of uploads start, 
upload 99% of their content, and then stop, never completing, and then 
repeat this pattern until you're out of disk.

In theory your CGI program would have had the power to decide before 
allowing the upload to start whether it was willing to accept the file, 
perhaps because the user was a trusted user, or because enough space was 
available on disk, but by placing your proposed stream-to-file in the way 
the CGI is no longer able to do that.

Regards,
Graham
--



Mime
View raw message