limit CGI process execution time to make REDoS attacks less effective;

attack surface pointed out by Sebastien Marie

diff --git a/cgi.c b/cgi.c
index 0ea3179def2bea64ec3321e49728a8413cd507d4..e4a31ada767e62acccfa709d8d7e66a3d4698e1a 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*     $Id: cgi.c,v 1.94 2014/08/17 03:24:47 schwarze Exp $ */
+/*     $Id: cgi.c,v 1.95 2014/08/21 16:05:21 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de>
@@ -18,6 +18,7 @@
 #include "config.h"
 
 #include <sys/types.h>
+#include <sys/time.h>
 
 #include <ctype.h>
 #include <errno.h>
@@ -1029,10 +1030,23 @@ int
 main(void)
 {
        struct req       req;
+       struct itimerval itimer;
        const char      *path;
        const char      *querystring;
        int              i;
 
+       /* Poor man's ReDoS mitigation. */
+
+       itimer.it_value.tv_sec = 1;
+       itimer.it_value.tv_usec = 0;
+       itimer.it_interval.tv_sec = 1;
+       itimer.it_interval.tv_usec = 0;
+       if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) {
+               fprintf(stderr, "setitimer: %s\n", strerror(errno));
+               pg_error_internal();
+               return(EXIT_FAILURE);
+       }
+
        /* Scan our run-time environment. */
 
        if (NULL == (scriptname = getenv("SCRIPT_NAME")))