- Collector #1371: added new 'cgi-maxlen' directive to zope.conf to limit the amount of form data being processed by Zope to prevent DoS attacks

9e9b156a · Andreas Jung · 40d94341 · 9e9b156a · 9e9b156a · 9e9b156a
Commit 9e9b156a authored Nov 26, 2004 by Andreas Jung
4 changed files
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -46,6 +46,10 @@ Zope Changes

    Bugs fixed

+      - Collector #1371: added new 'cgi-maxlen' directive to zope.conf 
+        to limit the amount of form data being processed by Zope 
+        to prevent DoS attacks
+
      - Collector #1407: changed WebDAV display name for objects
        to title_or_id() 


--- a/lib/python/Zope/Startup/handlers.py
+++ b/lib/python/Zope/Startup/handlers.py
@@ -95,6 +95,10 @@ def large_file_threshold(value):
    import ZServer
    ZServer.LARGE_FILE_THRESHOLD = value

+def cgi_maxlen(value):
+    import cgi
+    cgi.maxlen = value
+
 # server handlers

 def root_handler(config):

--- a/lib/python/Zope/Startup/zopeschema.xml
+++ b/lib/python/Zope/Startup/zopeschema.xml
@@ -522,6 +522,14 @@
    </description>
  </section>

+  <key name="cgi-maxlen" default="0" handler="cgi_maxlen" datatype="integer">
+    <description>
+     Set the cgi.maxlen parameter to limit the number of data passwed to
+     cgi.escape(). This is helpful to prevent DoS attacks. Set the parameter
+     to 0 for no restrictions.
+    </description>
+  </key>
+
  <key name="dns-server" datatype=".dns_resolver" attribute="dns_resolver">
    <description>
     Specify the ip address of your DNS server in order to cause resolved

--- a/skel/etc/zope.conf.in
+++ b/skel/etc/zope.conf.in
@@ -418,6 +418,19 @@ instancehome $INSTANCE
 #    http-realm Slipknot


+# Directive: cgi-maxlen
+#
+# Description:
+#     Set this value to limit the amount of form data being processed 
+#     by Zope to prevent DoS attacks.
+#
+# Default: 0 (= no restrictions)
+#
+# Example:
+#
+#    cgi-maxlen 10000
+
+
 # Directive: automatically-quote-dtml-request-data
 #
 # Description: