DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23753>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23753 Rewrite rule infinite loop problem: security loop limit option required Summary: Rewrite rule infinite loop problem: security loop limit option required Product: Apache httpd-1.3 Version: 1.3.27 Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: mod_rewrite AssignedTo: bugs@httpd.apache.org ReportedBy: [EMAIL PROTECTED] I tried the following rewrite rule in .htaccess file, which causes infinite loop, and Apache memory usage is increased until there is free memory (and finally a crash is likely): RewriteRule ^(.*)(/index.html)?$ /script.cgi?cat=$1 Test URL: http://www.site.com/Computers/Printers I think the infinite loops should be avoided by implementing a security loop counter option, which stops the cycle after X loops. My suggestion: 1) Add an option to RewriteOptions, named "SecurityLoop". RewriteOptions securityloop=[number] 2) When security_loop number is reached, the following log entry would be written into RewriteLog: "SecurityLoop: X number of loops executed in a row, further loops are skipped to avoid server crash. Check if your rewrite rules are correct or set RewriteOptions SecurityLoop=0 to allow infinite loops." By Default the SecurityLoop value should be set to 200. I think, 200 is not as low to make problems, but still low enough to avoid infinite loops. Examples: - "RewriteOptions SecurityLoop=0" would mean that the feature is turned off, so infinite loops can be happen. - "RewriteOptions SecurityLoop=200" would mean that loops will stop after 200 cycle. Additionally, a rewritelog entry should be added, which warns the admin, that likely an infinite loop case was avoided. I hope you will like the idea, and will be implemented in later 1.3.x & 2.x releases. Thanks, Webmaster33 (using Apache v1.3.27) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
