Greetings fellow nginx-devs, It looks to me as if an attacker could force the server to use up a large amount of resources doing ngx_http_regex_exec if the server were to be configured with a relatively large number of regex server_names. I would appreciate any ideas on the topic, especially suggestions as to how some form of caching could be implemented for the responses, so that the server didn't have to execute the ngx_http_regex_exec on subsequent requests.
2375 for (i = 0; i < virtual_names->nregex; i++) { 2376 2377 n = ngx_http_regex_exec(r, sn[i].regex, host); 2378 2379 if (n == NGX_DECLINED) { 2380 continue; 2381 } 2382 2383 if (n == NGX_OK) { 2384 *cscfp = sn[i].server; 2385 return NGX_OK; 2386 } 2387 2388 return NGX_ERROR; 2389 } ./src/http/ngx_http_request.c Regards, Gabriel
_______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx