[TYPO3-core] RFC: (urgent for 4.0.1) DoS when processing non-existing 404 page

[Dmitry Dulepov]

Hi!

This is SVN patch request.

Problem: DoS will occur if 
$TYPO3_CONF_VARS['FE']['pageNotFound_handling'] is configured to use 
non-existing URL at the current site. The same page will be requested 
again and again, increasing memory and loading CPU a lot. Problem exists 
only for 4.0.1, previous versions are safe.

Steps to reproduce:
1. Set this in your localconf.php:
$TYPO3_CONF_VARS['FE']['pageNotFound_handling'] = '/index.php?id=99999';
2. Request non-existing page
3. Try to operate your computer (if you can!)
Do not try it on a live or shared server though.

Solution: check for recursion by comparing current and 404 urls. If they 
match, produce standard error box instead of error page.

This patches also fixes two small things in that function:
1. removes many 'exit' calls and places only one at the end of function
2. corrects one of error messages not to show 'Error' twice.

Dmitry.
-- 
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 404_loop.patch
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20060728/389d7417/attachment.asc