diff options
| author |   schwarze <schwarze@openbsd.org> | 2014-08-21 16:03:50 +0000 |
|---|---|---|
| committer | schwarze <schwarze@openbsd.org> | 2014-08-21 16:03:50 +0000 |
| commit | 136c26b862ba9f7b890810c1c0a02760cfc21ab3 (patch) | |
| tree | 4e07de2fd5d6dd7828a07c3420626f53b93ea55e | |
| parent | deny "once" flags for match rules; ok henning (diff) | |
| download | wireguard-openbsd-136c26b862ba9f7b890810c1c0a02760cfc21ab3.tar.xz wireguard-openbsd-136c26b862ba9f7b890810c1c0a02760cfc21ab3.zip | |
limit CGI process execution time to make REDoS attacks less effective;
attack surface pointed out by Sebastien Marie
| -rw-r--r-- | usr.bin/mandoc/cgi.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c index f733a2d3256..a73f7c23c7b 100644 --- a/usr.bin/mandoc/cgi.c +++ b/usr.bin/mandoc/cgi.c @@ -1,4 +1,4 @@ -/* $Id: cgi.c,v 1.32 2014/08/08 17:17:42 schwarze Exp $ */ +/* $Id: cgi.c,v 1.33 2014/08/21 16:03:50 schwarze Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de> @@ -15,6 +15,10 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include <sys/types.h> +#include <sys/time.h> + #include <ctype.h> #include <errno.h> #include <fcntl.h> @@ -1025,10 +1029,23 @@ int main(void) { struct req req; + struct itimerval itimer; const char *path; const char *querystring; int i; + /* Poor man's ReDoS mitigation. */ + + itimer.it_value.tv_sec = 1; + itimer.it_value.tv_usec = 0; + itimer.it_interval.tv_sec = 1; + itimer.it_interval.tv_usec = 0; + if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) { + fprintf(stderr, "setitimer: %s\n", strerror(errno)); + pg_error_internal(); + return(EXIT_FAILURE); + } + /* Scan our run-time environment. */ if (NULL == (scriptname = getenv("SCRIPT_NAME"))) |