This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author deadpixi
Recipients deadpixi
Date 2015-04-14.17:58:05
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1429034285.17.0.254053228622.issue23952@psf.upfronthosting.co.za>
In-reply-to
Content 
The cgi module has a global variable, 'maxlen', that specifies the maximum length of a POST request. By default, this limit is 0, meaning an unlimited POST request size.

Having an unlimited default opens up CGI scripts to resource-exhaustion attacks. Setting the maxlen variable to a nonzero integer solves this problem, but this fix is not in the official documentation - neither the reference manual nor the module's docstring.

I would recommend augmenting the module's docstring with the following statement:

"The maxlen variable can be set to an integer indicating the maximum size of a POST request. POST requests larger than this size will result in a ValueError being raised during parsing. The default value of this variable is 0, meaning the request size is unlimited."
History
Date User Action Args
2015-04-14 17:58:05deadpixisetrecipients: + deadpixi
2015-04-14 17:58:05deadpixisetmessageid: <1429034285.17.0.254053228622.issue23952@psf.upfronthosting.co.za>
2015-04-14 17:58:05deadpixilinkissue23952 messages
2015-04-14 17:58:05deadpixicreate