summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@openbsd.org>2014-08-21 16:05:21 +0000
committerIngo Schwarze <schwarze@openbsd.org>2014-08-21 16:05:21 +0000
commit4a92d35e35b13fe8050447c6b17c86b6c4695068 (patch)
tree79e0e44a5d49ea384f6106dc7b062edf77da0b3b
parent789c95de5c329863a91a87b7615365dddd3a887a (diff)
downloadmandoc-4a92d35e35b13fe8050447c6b17c86b6c4695068.tar.gz
limit CGI process execution time to make REDoS attacks less effective;
attack surface pointed out by Sebastien Marie
-rw-r--r--cgi.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/cgi.c b/cgi.c
index 42457840..07f252fd 100644
--- a/cgi.c
+++ b/cgi.c
@@ -18,6 +18,7 @@
#include "config.h"
#include <sys/types.h>
+#include <sys/time.h>
#include <ctype.h>
#include <errno.h>
@@ -1029,10 +1030,23 @@ int
main(void)
{
struct req req;
+ struct itimerval itimer;
const char *path;
const char *querystring;
int i;
+ /* Poor man's ReDoS mitigation. */
+
+ itimer.it_value.tv_sec = 1;
+ itimer.it_value.tv_usec = 0;
+ itimer.it_interval.tv_sec = 1;
+ itimer.it_interval.tv_usec = 0;
+ if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) {
+ fprintf(stderr, "setitimer: %s\n", strerror(errno));
+ pg_error_internal();
+ return(EXIT_FAILURE);
+ }
+
/* Scan our run-time environment. */
if (NULL == (scriptname = getenv("SCRIPT_NAME")))