httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Date Thu, 15 Jan 1998 20:43:42 GMT
On Thu, 15 Jan 1998, Martin Kraemer wrote:

> On Wed, Jan 14, 1998 at 02:50:01PM -0600, Igor Tatarinov wrote:
> > But why not do this checking in mod_auth ?
> > or pcfg_openfile might be the right function to fix.
> 
> I think that's a sensible idea. The number of pcfg_openfile() calls is
> limited to reading the config files, the htpasswd files, the .htaccess
> files, in short all those files where it is not acceptable to read
> from devices (or directories ;-).

How about opening with O_NDELAY and changing the routine to detect if we
hit the end of the 8k buffer before the end of the line and, if so,
returning an error?  This is something that really should be done
regardless to report a proper error.

This does not completely prevent the attempt at reading the file from
blocking (only in at least 99% of the cases; although 1% can be bad...)
but does make it a lot more difficult for it to block and prevents endless
reads.  

Heck, lets think up some cool attacks on systems that use automounters or
AFS.  Lots of room for making things block there, and the above doesn't
fix that.  Hmm.  If O_NDELAY stopped such network file read from blocking,
it would be no good.  If it didn't, it wouldn't prevent the above anyway.

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message