> Hi, I had a look at this, the above usecase is OK, it doesn't produce any new
> atoms. However, multipart POSTs do.
> AFAICS, the call to list_to_atom/1 in yaws_api.erl, function
> make_parse_line_reply/3 is called on all the "keys" in a multipart POST.
> These would be things like "filename", "boundary" etc
> A malicious script that POSTs multiparts with different "keys" will kill a
> yaws server.
> This should be fixed, I think. It'll be backwards incompatible though.
> Opinions ?
Whoops, I just saw this after posting that there wasn't a problem.
Yet there seems to be a problem after all, both with the yaws.pdf
(trivial to fix) and multipart posts (more problematic).
I'm new here, so I don't expect my input to count for much.
However, I think it should be fixed. For the website I am
currently building, this is exactly the kind of attack I
will be hit with, and more.
But hey, it's great to find small issues like this. Will help to
make your fine product more bulletproof over time.