httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [STATUS] (apache-1.3) Sun Jun 6 23:45:09 EDT 1999
Date Wed, 09 Jun 1999 21:28:10 GMT
On Wed, 9 Jun 1999, Rodent of Unusual Size wrote:

> >   1.3 STATUS:
> >   Last modified at [$Date: 1999/06/06 14:20:49 $]
> 	:
> > RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
> 	:
> >     * long pathnames with many components and no AllowOverride None
> >         Workaround is to define <Directory /> with AllowOverride None,
> >         which is something all sites should do in any case.
> >         Status: Marc was looking at it.
> 
> I can't find any references to this issue.  Roy added it to the
> STATUS file in December, but I've gone all through the 1998
> archives and I can't find any mention of it..

See messages sent to security@apache.org with a subject "Re: GET
/a/a/a/a/a/a/a/... (4,000 bytes long)" in December 98 or so.
Unfortunately, I guess it got dropped on the floor.  Sigh.  

The following is what I said before:

Ok.  This particular problem doesn't pop up on most platforms because they
have {sane|silly} (take your pick) limits on the depth of a path.  There
are also various other DoS attacks that have been possible on Linux with
very deep paths that most other OSes don't allow because they limit the
depth.

The problem is the htaccess cache, which is O( sum(k=1..n, k)) (how do you
represent summation in ASCII?) which is O(n^2), where n is the depth of
the path.

There is the trivial solution of limiting the depth of paths that we
allow, and letting that be configured.  There will always be at least
minor DoS attacks based on path length without that because of how we
parse bottom up.

A temporary workaround is to set LimitRequestLine low, but that just
limits the total line.  ~8k request line means ~4k directory depth.  If
that were limited to a 1k request line and ~500 directory depth, it would
only be 1/64th as bad, so this temporary workaround is reasonably
practical.


Mime
View raw message