You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/07/11 02:40:17 UTC
DO NOT REPLY [Bug 51495] New: mod_substitute cpu and memory limit
https://issues.apache.org/bugzilla/show_bug.cgi?id=51495
Bug #: 51495
Summary: mod_substitute cpu and memory limit
Product: Apache httpd-2
Version: 2.2.19
Platform: PC
OS/Version: NetBSD
Status: NEW
Severity: normal
Priority: P2
Component: mod_substitute
AssignedTo: bugs@httpd.apache.org
ReportedBy: max@cxib.net
Classification: Unclassified
In my opinion CPU and memory limit for mod_substitute is missing here.
The first problem in this module, is not limiting execution time and
memory. It allow to local denial of service. We don't need convince that
the use of PCRE is dangerous. So we need limit output time and memory in
mod_substitute.
-memory-exhaustion-
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|(.*(!?))||if"
-memory-exhaustion-
Result:
Jul 5 13:16:04 127 /netbsd: UVM: pid 1768 (httpd), uid 1006 killed: out
of swap
-crash-
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|((.*){2222,}(.*){2222,})||iq"
-crash-
Result:
[Mon Jul 11 02:57:29 2011] [notice] child pid 28 exit signal Illegal
instruction (4)
-cpu-exhaustion-
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|(.*+(.*){2222,}(.*)+(.*){22,})||iq"
-cpu-exhaustion-
Result:
Long executing time, providing to memory exhaustion
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org