activeperl.516.dos.txt

`Date: Mon, 31 May 1999 07:16:53 -0700  
From: Michael Smith <[email protected]>  
To: [email protected]  
Subject: ActiveState Security Advisory  
  
Problem  
--------  
  
PerlScript and Perl-ISAPI that come with ActivePerl 516 and earlier  
versions, inadequately check the length of path information sent to open().  
Due to limits on path and filename length in Windows, this can crash IIS  
if sufficiently large strings are provided as paths or filenames.  
  
  
  
Solution  
---------  
  
This is fixed in ActivePerl 517  
  
  
  
Work Around  
------------  
  
If you are unable to upgrade to ActivePerl 517 then all path information  
should be checked for sane lengths before being passed to open(). The  
maximum length of a path, including drive, directory and filename is 259  
characters. The maximum length of the filename portion of a path is 255  
characters. The maximum length of the directory portion of a path is 255  
characters.  
  
example:  
  
$filename = substr $filename, 0, 255;  
open FOO, ">$filename";  
  
  
  
General Comments  
-----------------  
  
Care should be taken when accepting input from users, especially in a web  
context where users are untrusted and relatively anonymous. When designing  
CGI scripts some thought should be given to checking user input for sane  
values. Use of taint mode and warnings (-t and -w) are also highly  
recommended.  
  
The Activators.  
  
`