Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#3583 closed task (fixed)

CGI params is limited to 100

Reported by: aboudreault Owned by: aboudreault
Priority: normal Milestone: 6.0 release
Component: MapServer C Library Version: unspecified
Severity: normal Keywords:
Cc:

Description

Though the max cgi params is very big and that there are only few cases that need more, I'm going to remove that limit and put this dynamic rather than static.

Change History (8)

comment:1 by aboudreault, 14 years ago

Fixed and committed in r10645.

comment:2 by aboudreault, 14 years ago

Resolution: fixed
Status: newclosed

comment:3 by rouault, 14 years ago

I'm wondering if the results of the realloc shoudln't be checked ? There might be a risk that an attacker would provide a huge number of cgi parameters to cause a segfault and perhaps worse

comment:4 by aboudreault, 14 years ago

umm... that's right. I'm going to add a check tomorrow to prevent this.

comment:5 by tamas, 14 years ago

I've also added a fix for the mapscript problems introduced with the change above, see: r10648

comment:6 by warmerdam, 14 years ago

One more fix in the php bindings (r10649).

comment:7 by aboudreault, 14 years ago

Thanks for fixing bindings guys. I've added realloc checks in r10659 to prevent seg fault.

comment:8 by aboudreault, 14 years ago

FYI, I had concerns about the way I did it in r10659. I've modified a little bit in r10664 to be sure. Anyway, this will probably be changed during the MALLOC ticket #3559.

Note: See TracTickets for help on using tickets.