Title: cgi: Document the 'maxlen' member of the cgi module
Type: enhancement Stage: needs patch
Components: Documentation, Library (Lib) Versions: Python 3.11
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: deadpixi, docs@python, iritkatriel
Priority: normal Keywords: easy, newcomer friendly

Created on 2015-04-14 17:58 by deadpixi, last changed 2021-11-21 17:50 by iritkatriel.

Messages (1)
msg240965 - (view) Author: Rob King (deadpixi) Date: 2015-04-14 17:58
The cgi module has a global variable, 'maxlen', that specifies the maximum length of a POST request. By default, this limit is 0, meaning an unlimited POST request size.

Having an unlimited default opens up CGI scripts to resource-exhaustion attacks. Setting the maxlen variable to a nonzero integer solves this problem, but this fix is not in the official documentation - neither the reference manual nor the module's docstring.

I would recommend augmenting the module's docstring with the following statement:

"The maxlen variable can be set to an integer indicating the maximum size of a POST request. POST requests larger than this size will result in a ValueError being raised during parsing. The default value of this variable is 0, meaning the request size is unlimited."
Date User Action Args
2021-11-21 17:50:24iritkatrielsetmessages: - msg406733
2021-11-21 17:48:54iritkatrielsettype: enhancement
components: + Library (Lib)
versions: + Python 3.11, - Python 3.7, Python 3.8
keywords: + easy, newcomer friendly
nosy: + iritkatriel

messages: + msg406733
2018-03-25 23:29:23cheryl.sabellasetnosy: + docs@python
title: Document the 'maxlen' member of the cgi module -> cgi: Document the 'maxlen' member of the cgi module
assignee: docs@python
versions: + Python 3.7, Python 3.8, - Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
components: + Documentation
stage: needs patch
2015-04-14 17:58:17deadpixisetversions: + Python 2.7, Python 3.2, Python 3.3
2015-04-14 17:58:05deadpixicreate