diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-08-21 16:05:21 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-08-21 16:05:21 +0000 |
commit | 4a92d35e35b13fe8050447c6b17c86b6c4695068 (patch) | |
tree | 79e0e44a5d49ea384f6106dc7b062edf77da0b3b | |
parent | 789c95de5c329863a91a87b7615365dddd3a887a (diff) | |
download | mandoc-4a92d35e35b13fe8050447c6b17c86b6c4695068.tar.gz |
limit CGI process execution time to make REDoS attacks less effective;
attack surface pointed out by Sebastien Marie
-rw-r--r-- | cgi.c | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -18,6 +18,7 @@ #include "config.h" #include <sys/types.h> +#include <sys/time.h> #include <ctype.h> #include <errno.h> @@ -1029,10 +1030,23 @@ int main(void) { struct req req; + struct itimerval itimer; const char *path; const char *querystring; int i; + /* Poor man's ReDoS mitigation. */ + + itimer.it_value.tv_sec = 1; + itimer.it_value.tv_usec = 0; + itimer.it_interval.tv_sec = 1; + itimer.it_interval.tv_usec = 0; + if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) { + fprintf(stderr, "setitimer: %s\n", strerror(errno)); + pg_error_internal(); + return(EXIT_FAILURE); + } + /* Scan our run-time environment. */ if (NULL == (scriptname = getenv("SCRIPT_NAME"))) |