You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/10/12 18:38:56 UTC

DO NOT REPLY [Bug 23753] New: - Rewrite rule infinite loop problem: security loop limit option required

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23753>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23753

Rewrite rule infinite loop problem: security loop limit option required

           Summary: Rewrite rule infinite loop problem: security loop limit
                    option required
           Product: Apache httpd-1.3
           Version: 1.3.27
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: webmaster33@bigfoot.com


I tried the following rewrite rule in .htaccess file, which causes 
infinite loop, and Apache memory usage is increased until there 
is free memory (and finally a crash is likely):
RewriteRule ^(.*)(/index.html)?$   /script.cgi?cat=$1

Test URL: http://www.site.com/Computers/Printers


I think the infinite loops should be avoided by implementing
a security loop counter option, which stops the cycle
after X loops.

My suggestion:
1) Add an option to RewriteOptions, named "SecurityLoop".
RewriteOptions securityloop=[number]
2) When security_loop number is reached, the following log entry 
would be written into RewriteLog:
"SecurityLoop: X number of loops executed in a row, further loops 
are skipped to avoid server crash. Check if your rewrite rules 
are correct or set RewriteOptions SecurityLoop=0 to allow infinite loops."

By Default the SecurityLoop value should be set to 200.
I think, 200 is not as low to make problems, but still low enough 
to avoid infinite loops.

Examples:
- "RewriteOptions SecurityLoop=0" would mean that the feature
is turned off, so infinite loops can be happen.
- "RewriteOptions SecurityLoop=200" would mean that loops 
will stop after 200 cycle. Additionally, a rewritelog entry should
be added, which warns the admin, that likely an infinite loop case
was avoided.

I hope you will like the idea, and will be implemented in later
1.3.x & 2.x releases.

Thanks,
Webmaster33
(using Apache v1.3.27)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org