From 5eec60b6e3415a34bd5237de153e27e9800dba8e Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 21 Aug 2014 16:05:21 +0000
Subject: limit CGI process execution time to make REDoS attacks less
 effective; attack surface pointed out by Sebastien Marie

---
 cgi.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/cgi.c b/cgi.c
index 0ea3179d..e4a31ada 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.94 2014/08/17 03:24:47 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.95 2014/08/21 16:05:21 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de>
@@ -18,6 +18,7 @@
 #include "config.h"
 
 #include <sys/types.h>
+#include <sys/time.h>
 
 #include <ctype.h>
 #include <errno.h>
@@ -1029,10 +1030,23 @@ int
 main(void)
 {
 	struct req	 req;
+	struct itimerval itimer;
 	const char	*path;
 	const char	*querystring;
 	int		 i;
 
+	/* Poor man's ReDoS mitigation. */
+
+	itimer.it_value.tv_sec = 1;
+	itimer.it_value.tv_usec = 0;
+	itimer.it_interval.tv_sec = 1;
+	itimer.it_interval.tv_usec = 0;
+	if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) {
+		fprintf(stderr, "setitimer: %s\n", strerror(errno));
+		pg_error_internal();
+		return(EXIT_FAILURE);
+	}
+
 	/* Scan our run-time environment. */
 
 	if (NULL == (scriptname = getenv("SCRIPT_NAME")))
-- 
cgit v1.2.3-56-ge451