[TYPO3-core] RFC: (urgent for 4.0.1) DoS when processing non-existing 404 page
Michael Stucki
michael at typo3.org
Mon Jul 31 02:11:39 CEST 2006
Hi Dmitry,
reproduced & tested, +1 for your solution.
Please change the wording slightly:
- $reason .= chr(10) . chr(10) . 'Additionally ' . $code . ' was not found while trying to retrieve error document.';
+ $reason .= chr(10) . chr(10) . 'Additionally, '. $code . ' was not found while trying to retrieve the error document.';
At all: Since this patch is important but critical, I would like to have
at least one more review of this patch. Thanks for your help!
Regards, michael
> This is SVN patch request.
>
> Problem: DoS will occur if
> $TYPO3_CONF_VARS['FE']['pageNotFound_handling'] is configured to use
> non-existing URL at the current site. The same page will be requested
> again and again, increasing memory and loading CPU a lot. Problem exists
> only for 4.0.1, previous versions are safe.
>
> Steps to reproduce:
> 1. Set this in your localconf.php:
> $TYPO3_CONF_VARS['FE']['pageNotFound_handling'] = '/index.php?id=99999';
> 2. Request non-existing page
> 3. Try to operate your computer (if you can!)
> Do not try it on a live or shared server though.
>
> Solution: check for recursion by comparing current and 404 urls. If they
> match, produce standard error box instead of error page.
>
> This patches also fixes two small things in that function:
> 1. removes many 'exit' calls and places only one at the end of function
> 2. corrects one of error messages not to show 'Error' twice.
>
> Dmitry.
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list