Limit HTTP POST size for form submission

tribixty Published at Dev

tribixty

Let's say I have a simple HTML webpage (served using apache) as

<!DOCTYPE HTML>
<html>
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width">
        <meta name="description" content="CGI script test">
        <meta name="keywords" content="test">
        <meta name="author" content="cgi test">
        <title> CGI Script Test </title>
    </head>
    <body>
        <form action="/cgi-bin/submit.py" method="POST">
            <label for="entry">Entry name: </label>
            <input type="text" id="entry" name="entryname" placeholder="placeholder" maxlength="10">
        </form>
    </body> 
</html>

where data submitted in the form is processed using submit.py, a python script (placed in my cgi-bin directory) as

#!/usr/bin/python

import cgi,re

form = cgi.FieldStorage()

print("Content-Type: text/html\n\n")
print("<title>Hello World</title>")
print("<h1>HELLO</h1>")

text=str(form.getvalue("entryname"))

print("<p> Parsing result...</p>")

result = re.sub('[^a-zA-Z0-9:@#/-_,]', ' ', text)

print("<h3> Resulting Info: </h3>")
print("<p>" + str(result) + "</p>")`

I want to avoid my server getting stuffed with POSTs that are excessively long. If I load the HTML webpage above, I can use the "inspect element" tool in firefox to delete the "maxlength" requirement and stuff in as much information as I want. The python script then receives the full input text. This is my first website and I want to make sure I do this right. Is there a limit to the size of the POST sent to the server, and if not, how do I limit it to prevent abuse?

saaj

You can examine Content-Length header and compare it with a limit. cgitb.enable should be helpful with displaying errors when the limit is reached.

import cgitb
import os


MAX_POST_BODY_SIZE = 1024

cgitb.enable(display=0)

content_length = int(os.getenv('CONTENT_LENGTH', 0))
if content_length > MAX_POST_BODY_SIZE:
    raise RuntimeError('POST body too long')

Update 1

I've looked into cgi module's code and it seems POST body size limiting is actually implemented in FieldStorage but it's not documented. There's cgi.maxlen attribute:

# Maximum input we will accept when REQUEST_METHOD is POST
# 0 ==> unlimited input
maxlen = 0

Hence, it should be just:

import cgi
import cgitb

cgi.maxlen = 1024
cgitb.enable(display=0)

form = cgi.FieldStorage()

[...] would the server still have to allocate memory to receive the full post?

As far as I can see in the initialiser of FieldStorage the steps are as follows:

fp is assigned, self.fp = sys.stdin.buffer
Content-Length is validated
when then Content-Type is application/x-www-form-urlencoded read_urlencoded is called which reads Content-Length bytes from the instance's fp attribute.

To test it with your CGI server, send a big request and look at htop or other process monitor for the CGI process' memory usage.

from urllib.request import urlopen

urlopen(
    'http://localhost:8000/cgi-bin/submit.py', 
    data=b'entryname=%s' % (b'abcd' * 2  ** 24),  # 64 MiB
)

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-07-26

Comments

0 comments

TOP Ranking

Article