- Collector #1371: added new 'cgi-maxlen' directive to zope.conf

        to limit the amount of form data being processed by Zope 
        to prevent DoS attacks

doc/CHANGES.txt

@@ -46,6 +46,10 @@ Zope Changes
 
     Bugs fixed
 
+      - Collector #1371: added new 'cgi-maxlen' directive to zope.conf 
+        to limit the amount of form data being processed by Zope 
+        to prevent DoS attacks
+
       - Collector #1407: changed WebDAV display name for objects
         to title_or_id() 
 

lib/python/Zope/Startup/handlers.py

@@ -95,6 +95,10 @@ def large_file_threshold(value):
     import ZServer
     ZServer.LARGE_FILE_THRESHOLD = value
 
+def cgi_maxlen(value):
+    import cgi
+    cgi.maxlen = value
+
 # server handlers
 
 def root_handler(config):

lib/python/Zope/Startup/zopeschema.xml

@@ -522,6 +522,14 @@
     </description>
   </section>
 
+  <key name="cgi-maxlen" default="0" handler="cgi_maxlen" datatype="integer">
+    <description>
+     Set the cgi.maxlen parameter to limit the number of data passwed to
+     cgi.escape(). This is helpful to prevent DoS attacks. Set the parameter
+     to 0 for no restrictions.
+    </description>
+  </key>
+
   <key name="dns-server" datatype=".dns_resolver" attribute="dns_resolver">
     <description>
      Specify the ip address of your DNS server in order to cause resolved

skel/etc/zope.conf.in

@@ -418,6 +418,19 @@ instancehome $INSTANCE
 #    http-realm Slipknot
 
 
+# Directive: cgi-maxlen
+#
+# Description:
+#     Set this value to limit the amount of form data being processed 
+#     by Zope to prevent DoS attacks.
+#
+# Default: 0 (= no restrictions)
+#
+# Example:
+#
+#    cgi-maxlen 10000
+
+
 # Directive: automatically-quote-dtml-request-data
 #
 # Description: