httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [SECURITY] Apache-1.3.18
Date Mon, 12 Feb 2001 20:00:39 GMT
+1

Martin Kraemer wrote:
> 
> On Fri, Feb 09, 2001 at 11:11:42AM +0100, Martin Kraemer wrote:
> > +#ifdef ENAMETOOLONG
> > +            /* Special case for filenames which exceed the maximum limit
> > +	     * imposed by the operating system (~1024). These should
> > +	     * NOT be treated like "file not found", because there is
> > +	     * a difference between "the file is not there" and
> > +	     * "the file exists, but you tried to access it using a
> > +	     * path which exceeds the path length limit".
> > +	     * The idea here is to handle DoS attacks with long
> > +	     * runs of //////'s in a graceful and secure manner.
> > +	     */
> > +            if (errno == ENAMETOOLONG) {
> > +                rnew->status = HTTP_FORBIDDEN;
> > +                return rnew;
> > +            }
> > +#endif
> 
> Does everybody agree that exceeding the maximum path length is important
> enough to justify an extra log entry here? Something like
> 
>                if (errno == ENAMETOOLONG) {
>                    ap_log_rerror(APLOG_MARK, APLOG_CRIT, r,
>                       "Possible DoS attempt? URL=%s", r->filename);
>                    rnew->status = HTTP_FORBIDDEN;
>                    return rnew;
>                }
> Just a thought.
> 
>     Martin
> -- 
> <Martin.Kraemer@Fujitsu-Siemens.com>    |       Fujitsu Siemens
>        <martin@apache.org>              |   81730  Munich,  Germany
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
          "Casanova will have many weapons; To beat him you will
              have to have more than forks and flatulence."

Mime
View raw message