[Seaside] Buffer Overflow

Philippe Marschall philippe.marschall at gmail.com
Wed Sep 5 15:57:49 UTC 2007

2007/9/5, Richard Eng <richard.eng at rogers.com>:
> Is there any need to worry about  buffer overflow security holes in Seaside?

Not directly in the sense of remote code execution. (The socket layer
in the vm is still vulnerable to this since it is C). But certainly in
in the DOS sense. Putting 300 MiB into a html field is quite likely to
crash a Sqeak Image..

> I ask only because #textAreaInput has no way to constrain the ³size² of the
> data (whereas #textInput has #maxLength:).

If someone atificially creates an http request the html restrictions
don't apply to him. You can use a real webserver as a frontend and
limit the request size there.


> Thanks,
> Richard
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

More information about the Seaside mailing list