Bug #29166 for CGI: POST_MAX exceeded

Tue Sep 04 10:51:02 2007 bwooster47 [...] gmail.com - Ticket created

Subject:	POST_MAX exceeded - and script pegs CPU
Date:	Tue, 4 Sep 2007 10:50:03 -0400
To:	bug-CGI.pm [...] rt.cpan.org
From:	"B Wooster" <bwooster47 [...] gmail.com>

This looks like the issue reported in http://rt.cpan.org/Public/Bug/Display.html?id=19222, but I don't see that fix/patch in any new release of CGI yet - so not sure if this is the same problem. I've created a simple test case - a form that allows a file upload. If the file size is less than POST_MAX, everything works fine. If it is greater, then cgi_error() never returns, and after 120 seconds, during which time the script pegs the CPU at 100%, I get Timeout messages in the error_log. Should I be editing the CGI.pm file to exit immediately if POST_MAX is exceeded? Or is there a newer version of CGI.pm that fixes this issue? CGI.pm version 2.46 had this code: die "Client attempted to POST $content_length bytes, but POSTs are limited to $POST_MAX" if ($POST_MAX > 0) && ($content_length > $POST_MAX); and I seem to remember that it worked fine, so the problem may be the 3.15 version changes that attempt to read everything and then discarding it? I am using Fedora Core 7 Server version: Apache/2.2.4 (Unix) Server built: Jun 26 2007 10:00:55 /usr/lib/perl5/5.8.8/CGI.pm: $CGI::revision = '$Id: CGI.pm,v 1.194 2005/12/06 22:12:56 lstein Exp $'; $CGI::VERSION='3.15';

Message body is not shown because sender requested not to inline it.

Tue Sep 04 14:26:24 2007 LDS [...] cpan.org - Taken

Tue Sep 04 14:29:09 2007 LDS [...] cpan.org - Correspondence added 1 min

It would seem that cgi_error() is triggering a recursive loop. I will try to fix that without breaking other things. Lincoln On Tue Sep 04 10:51:02 2007, bwooster47@gmail.com wrote: Show quoted text

> This looks like the issue reported in > http://rt.cpan.org/Public/Bug/Display.html?id=19222, but I don't see > that fix/patch in any new release of CGI yet - so not sure if this is > the same problem. > > I've created a simple test case - a form that allows a file upload. If > the file size is less than POST_MAX, everything works fine. If it is > greater, then cgi_error() never returns, and after 120 seconds, during > which time the script pegs the CPU at 100%, I get Timeout messages in > the error_log. > > Should I be editing the CGI.pm file to exit immediately if POST_MAX is > exceeded? Or is there a newer version of CGI.pm that fixes this issue? > CGI.pm version 2.46 had this code: > die "Client attempted to POST $content_length bytes, but POSTs are > limited to $POST_MAX" > if ($POST_MAX > 0) && ($content_length > $POST_MAX); > > and I seem to remember that it worked fine, so the problem may be the > 3.15 version changes that attempt to read everything and then > discarding it? > > I am using Fedora Core 7 > Server version: Apache/2.2.4 (Unix) > Server built: Jun 26 2007 10:00:55 > > /usr/lib/perl5/5.8.8/CGI.pm: > $CGI::revision = '$Id: CGI.pm,v 1.194 2005/12/06 22:12:56 lstein Exp $'; > $CGI::VERSION='3.15';

Tue Sep 04 14:29:11 2007 The RT System itself - Status changed from 'new' to 'open'

Fri Sep 07 08:45:25 2007 bwooster47 [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #29166] POST_MAX exceeded - and script pegs CPU
Date:	Fri, 7 Sep 2007 08:42:08 -0400
To:	bug-CGI.pm [...] rt.cpan.org
From:	"B Wooster" <bwooster47 [...] gmail.com>

I just found that Fedora Code 7 ships with older CGI.pm - I moved to latest (3.29), and it works fine - I looked that code, it does not try to read data any more on exceeding limit, so it is back to the way it was in CGI.pm 2.46 (at least). if (($POST_MAX > 0) && ($content_length > $POST_MAX)) { #discard the post, unread $self->cgi_error("413 Request entity too large"); last METHOD; } The above code works fine - I just tested it - so this can be marked fixed in 3.29. [ The 3.15 code shows this problem. ] On 9/4/07, Lincoln_D_Stein via RT <bug-CGI.pm@rt.cpan.org> wrote: Show quoted text

> > <URL: http://rt.cpan.org/Ticket/Display.html?id=29166 > > > It would seem that cgi_error() is triggering a recursive loop. I will > try to fix that without breaking other things. > > Lincoln > > On Tue Sep 04 10:51:02 2007, bwooster47@gmail.com wrote:

> > This looks like the issue reported in > > http://rt.cpan.org/Public/Bug/Display.html?id=19222, but I don't see > > that fix/patch in any new release of CGI yet - so not sure if this is > > the same problem. > > > > I've created a simple test case - a form that allows a file upload. If > > the file size is less than POST_MAX, everything works fine. If it is > > greater, then cgi_error() never returns, and after 120 seconds, during > > which time the script pegs the CPU at 100%, I get Timeout messages in > > the error_log. > > > > Should I be editing the CGI.pm file to exit immediately if POST_MAX is > > exceeded? Or is there a newer version of CGI.pm that fixes this issue? > > CGI.pm version 2.46 had this code: > > die "Client attempted to POST $content_length bytes, but POSTs are > > limited to $POST_MAX" > > if ($POST_MAX > 0) && ($content_length > $POST_MAX); > > > > and I seem to remember that it worked fine, so the problem may be the > > 3.15 version changes that attempt to read everything and then > > discarding it? > > > > I am using Fedora Core 7 > > Server version: Apache/2.2.4 (Unix) > > Server built: Jun 26 2007 10:00:55 > > > > /usr/lib/perl5/5.8.8/CGI.pm: > > $CGI::revision = '$Id: CGI.pm,v 1.194 2005/12/06 22:12:56 lstein Exp $'; > > $CGI::VERSION='3.15';

> > > >

Fri Jul 24 20:34:38 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'

Fri May 23 14:28:47 2014 The RT System itself - Queue changed from CGI.pm to CGI

Bug #29166 for CGI: POST_MAX exceeded - and script pegs CPU

Preferred bug tracker