Issue 23952: cgi: Document the 'maxlen' member of the cgi module (original) (raw)

The cgi module has a global variable, 'maxlen', that specifies the maximum length of a POST request. By default, this limit is 0, meaning an unlimited POST request size.

Having an unlimited default opens up CGI scripts to resource-exhaustion attacks. Setting the maxlen variable to a nonzero integer solves this problem, but this fix is not in the official documentation - neither the reference manual nor the module's docstring.

I would recommend augmenting the module's docstring with the following statement:

"The maxlen variable can be set to an integer indicating the maximum size of a POST request. POST requests larger than this size will result in a ValueError being raised during parsing. The default value of this variable is 0, meaning the request size is unlimited."