You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/10/12 18:38:56 UTC
DO NOT REPLY [Bug 23753] New: -
Rewrite rule infinite loop problem: security loop limit option required
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23753>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23753
Rewrite rule infinite loop problem: security loop limit option required
Summary: Rewrite rule infinite loop problem: security loop limit
option required
Product: Apache httpd-1.3
Version: 1.3.27
Platform: All
OS/Version: All
Status: NEW
Severity: Enhancement
Priority: Other
Component: mod_rewrite
AssignedTo: bugs@httpd.apache.org
ReportedBy: webmaster33@bigfoot.com
I tried the following rewrite rule in .htaccess file, which causes
infinite loop, and Apache memory usage is increased until there
is free memory (and finally a crash is likely):
RewriteRule ^(.*)(/index.html)?$ /script.cgi?cat=$1
Test URL: http://www.site.com/Computers/Printers
I think the infinite loops should be avoided by implementing
a security loop counter option, which stops the cycle
after X loops.
My suggestion:
1) Add an option to RewriteOptions, named "SecurityLoop".
RewriteOptions securityloop=[number]
2) When security_loop number is reached, the following log entry
would be written into RewriteLog:
"SecurityLoop: X number of loops executed in a row, further loops
are skipped to avoid server crash. Check if your rewrite rules
are correct or set RewriteOptions SecurityLoop=0 to allow infinite loops."
By Default the SecurityLoop value should be set to 200.
I think, 200 is not as low to make problems, but still low enough
to avoid infinite loops.
Examples:
- "RewriteOptions SecurityLoop=0" would mean that the feature
is turned off, so infinite loops can be happen.
- "RewriteOptions SecurityLoop=200" would mean that loops
will stop after 200 cycle. Additionally, a rewritelog entry should
be added, which warns the admin, that likely an infinite loop case
was avoided.
I hope you will like the idea, and will be implemented in later
1.3.x & 2.x releases.
Thanks,
Webmaster33
(using Apache v1.3.27)
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org