[Zope-Checkins] SVN: Zope/trunk/ - Collector #1371: added new 'cgi-maxlen' directive to zope.conf

Andreas Jung andreas at andreas-jung.com
Fri Nov 26 07:12:06 EST 2004 

Log message for revision 28510:
  
        - Collector #1371: added new 'cgi-maxlen' directive to zope.conf 
          to limit the amount of form data being processed by Zope 
          to prevent DoS attacks
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/Zope/Startup/handlers.py
  U   Zope/trunk/lib/python/Zope/Startup/zopeschema.xml
  U   Zope/trunk/skel/etc/zope.conf.in

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt	2004-11-26 11:54:27 UTC (rev 28509)
+++ Zope/trunk/doc/CHANGES.txt	2004-11-26 12:12:04 UTC (rev 28510)
@@ -46,6 +46,10 @@
 
     Bugs fixed
 
+      - Collector #1371: added new 'cgi-maxlen' directive to zope.conf 
+        to limit the amount of form data being processed by Zope 
+        to prevent DoS attacks
+
       - Collector #1407: changed WebDAV display name for objects
         to title_or_id() 
 

Modified: Zope/trunk/lib/python/Zope/Startup/handlers.py
===================================================================
--- Zope/trunk/lib/python/Zope/Startup/handlers.py	2004-11-26 11:54:27 UTC (rev 28509)
+++ Zope/trunk/lib/python/Zope/Startup/handlers.py	2004-11-26 12:12:04 UTC (rev 28510)
@@ -95,6 +95,10 @@
     import ZServer
     ZServer.LARGE_FILE_THRESHOLD = value
 
+def cgi_maxlen(value):
+    import cgi
+    cgi.maxlen = value
+
 # server handlers
 
 def root_handler(config):

Modified: Zope/trunk/lib/python/Zope/Startup/zopeschema.xml
===================================================================
--- Zope/trunk/lib/python/Zope/Startup/zopeschema.xml	2004-11-26 11:54:27 UTC (rev 28509)
+++ Zope/trunk/lib/python/Zope/Startup/zopeschema.xml	2004-11-26 12:12:04 UTC (rev 28510)
@@ -522,6 +522,14 @@
     </description>
   </section>
 
+  <key name="cgi-maxlen" default="0" handler="cgi_maxlen" datatype="integer">
+    <description>
+     Set the cgi.maxlen parameter to limit the number of data passwed to
+     cgi.escape(). This is helpful to prevent DoS attacks. Set the parameter
+     to 0 for no restrictions.
+    </description>
+  </key>
+
   <key name="dns-server" datatype=".dns_resolver" attribute="dns_resolver">
     <description>
      Specify the ip address of your DNS server in order to cause resolved

Modified: Zope/trunk/skel/etc/zope.conf.in
===================================================================
--- Zope/trunk/skel/etc/zope.conf.in	2004-11-26 11:54:27 UTC (rev 28509)
+++ Zope/trunk/skel/etc/zope.conf.in	2004-11-26 12:12:04 UTC (rev 28510)
@@ -418,6 +418,19 @@
 #    http-realm Slipknot
 
 
+# Directive: cgi-maxlen
+#
+# Description:
+#     Set this value to limit the amount of form data being processed 
+#     by Zope to prevent DoS attacks.
+#
+# Default: 0 (= no restrictions)
+#
+# Example:
+#
+#    cgi-maxlen 10000
+
+
 # Directive: automatically-quote-dtml-request-data
 #
 # Description:

More information about the Zope-Checkins mailing list