From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from krisdoz.my.domain (schwarze@localhost [127.0.0.1]) by krisdoz.my.domain (8.14.5/8.14.5) with ESMTP id s7LG5MtQ012015 for ; Thu, 21 Aug 2014 12:05:22 -0400 (EDT) Received: (from schwarze@localhost) by krisdoz.my.domain (8.14.5/8.14.3/Submit) id s7LG5M9m024498; Thu, 21 Aug 2014 12:05:22 -0400 (EDT) Date: Thu, 21 Aug 2014 12:05:22 -0400 (EDT) Message-Id: <201408211605.s7LG5M9m024498@krisdoz.my.domain> X-Mailinglist: mdocml-source Reply-To: source@mdocml.bsd.lv MIME-Version: 1.0 From: schwarze@mdocml.bsd.lv To: source@mdocml.bsd.lv Subject: mdocml: limit CGI process execution time to make REDoS attacks less X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Log Message: ----------- limit CGI process execution time to make REDoS attacks less effective; attack surface pointed out by Sebastien Marie Modified Files: -------------- mdocml: cgi.c Revision Data ------------- Index: cgi.c =================================================================== RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/cgi.c,v retrieving revision 1.94 retrieving revision 1.95 diff -Lcgi.c -Lcgi.c -u -p -r1.94 -r1.95 --- cgi.c +++ cgi.c @@ -18,6 +18,7 @@ #include "config.h" #include +#include #include #include @@ -1029,9 +1030,22 @@ int main(void) { struct req req; + struct itimerval itimer; const char *path; const char *querystring; int i; + + /* Poor man's ReDoS mitigation. */ + + itimer.it_value.tv_sec = 1; + itimer.it_value.tv_usec = 0; + itimer.it_interval.tv_sec = 1; + itimer.it_interval.tv_usec = 0; + if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) { + fprintf(stderr, "setitimer: %s\n", strerror(errno)); + pg_error_internal(); + return(EXIT_FAILURE); + } /* Scan our run-time environment. */ -- To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv