limit CGI process execution time to make REDoS attacks less effective;

attack surface pointed out by Sebastien Marie
author: Ingo Schwarze <schwarze@openbsd.org> 2014-08-21 16:05:21 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2014-08-21 16:05:21 +0000
commit: 4a92d35e35b13fe8050447c6b17c86b6c4695068 (patch)
tree: 79e0e44a5d49ea384f6106dc7b062edf77da0b3b
parent: 789c95de5c329863a91a87b7615365dddd3a887a (diff)
download: mandoc-4a92d35e35b13fe8050447c6b17c86b6c4695068.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/cgi.c b/cgi.c
index 42457840..07f252fd 100644
--- a/cgi.c
+++ b/cgi.c
@@ -18,6 +18,7 @@
 #include "config.h"
 
 #include <sys/types.h>
+#include <sys/time.h>
 
 #include <ctype.h>
 #include <errno.h>
@@ -1029,10 +1030,23 @@ int
 main(void)
 {
 	struct req	 req;
+	struct itimerval itimer;
 	const char	*path;
 	const char	*querystring;
 	int		 i;
 
+	/* Poor man's ReDoS mitigation. */
+
+	itimer.it_value.tv_sec = 1;
+	itimer.it_value.tv_usec = 0;
+	itimer.it_interval.tv_sec = 1;
+	itimer.it_interval.tv_usec = 0;
+	if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) {
+		fprintf(stderr, "setitimer: %s\n", strerror(errno));
+		pg_error_internal();
+		return(EXIT_FAILURE);
+	}
+
 	/* Scan our run-time environment. */
 
 	if (NULL == (scriptname = getenv("SCRIPT_NAME")))
author	Ingo Schwarze <schwarze@openbsd.org>	2014-08-21 16:05:21 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2014-08-21 16:05:21 +0000
commit	4a92d35e35b13fe8050447c6b17c86b6c4695068 (patch)
tree	79e0e44a5d49ea384f6106dc7b062edf77da0b3b
parent	789c95de5c329863a91a87b7615365dddd3a887a (diff)
download	mandoc-4a92d35e35b13fe8050447c6b17c86b6c4695068.tar.gz