[TYPO3-core] RFC: (urgent for 4.0.1) DoS when processing non-existing 404 page

Dmitry Dulepov typo3 at accio.lv
Fri Jul 28 15:10:25 CEST 2006


This is SVN patch request.

Problem: DoS will occur if 
$TYPO3_CONF_VARS['FE']['pageNotFound_handling'] is configured to use 
non-existing URL at the current site. The same page will be requested 
again and again, increasing memory and loading CPU a lot. Problem exists 
only for 4.0.1, previous versions are safe.

Steps to reproduce:
1. Set this in your localconf.php:
$TYPO3_CONF_VARS['FE']['pageNotFound_handling'] = '/index.php?id=99999';
2. Request non-existing page
3. Try to operate your computer (if you can!)
Do not try it on a live or shared server though.

Solution: check for recursion by comparing current and 404 urls. If they 
match, produce standard error box instead of error page.

This patches also fixes two small things in that function:
1. removes many 'exit' calls and places only one at the end of function
2. corrects one of error messages not to show 'Error' twice.

"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 404_loop.patch
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20060728/389d7417/attachment.asc 

More information about the TYPO3-team-core mailing list