From 5fb6946b92e3c251222a0adc5cb153362d757266 Mon Sep 17 00:00:00 2001
From: paul <paul@plutz.net>
Date: Thu, 6 Oct 2016 21:24:06 +0000
Subject: [PATCH] limit stdin consumption to content length

svn path=/trunk/; revision=33
---
 cgi.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/cgi.sh b/cgi.sh
index 7ff73d0..7fa5416 100755
--- a/cgi.sh
+++ b/cgi.sh
@@ -17,6 +17,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with shcgi.  If not, see <http://www.gnu.org/licenses/>. 
 
+unset _GET _POST _REF _COOKIE
 declare -A _GET
 declare -A _POST
 declare -A _REF
@@ -33,10 +34,12 @@ printf '%s\n' "$QUERY_STRING" |tr '&' '\n' |while read query; do
   debug "_GET[$key] => $val"
 done
 
-if [ "$REQUEST_METHOD" = POST ]; then
+if [ "$REQUEST_METHOD" = POST -a "$HTTP_CONTENT_LENGTH" -gt 0 ]; then
   # parse HTTP POST string
   debug "== CGI DATA: POST =="
-  sed -u 1q |tr '&' '\n' |while read query; do
+  head -c "$HTTP_CONTENT_LENGTH" \
+  | sed -un '2q; 1{s;&;\n;g; p}' \
+  | while read query; do
     key="$(printf %s "$query" |sed -r 's:^([\.a-zA-Z0-9_-]+)=(.*)$:\1:')"
     val="$(printf %s "$query" |sed -r 's:^([\.a-zA-Z0-9_-]+)=(.*)$:\2:')"
     value="$(printf "$(printf %s "$val" |sed 's:+: :g;s:\\:\\\\:g;s:%:\\x:g;')")"
-- 
2.39.2