COMMAND

    ActivePerl (PerlScript and Perl-ISAPI)

SYSTEMS AFFECTED

    ActivePerl 516 and earlier

PROBLEM

    Following is based on  ActiveState Security Advisory.   PerlScript
    and Perl-ISAPI that come with ActivePerl 516 and earlier versions,
    inadequately check the length of path information sent to  open().
    Due to  limits on  path and  filename length  in Windows, this can
    crash IIS if sufficiently large  strings are provided as paths  or
    filenames.

SOLUTION

    This is fixed in ActivePerl 517.  If you are unable to upgrade  to
    ActivePerl 517  then all  path information  should be  checked for
    sane lengths before  being passed to  open().  The  maximum length
    of  a  path,  including  drive,  directory  and  filename  is  259
    characters.  The maximum length of the filename portion of a  path
    is 255 characters.   The maximum length  of the directory  portion
    of a path is 255 characters.  Example:

        $filename = substr $filename, 0, 255;
        open FOO, ">$filename";