From 136c26b862ba9f7b890810c1c0a02760cfc21ab3 Mon Sep 17 00:00:00 2001
From: schwarze <schwarze@openbsd.org>
Date: Thu, 21 Aug 2014 16:03:50 +0000
Subject: [PATCH] limit CGI process execution time to make REDoS attacks less
 effective; attack surface pointed out by Sebastien Marie

---
 usr.bin/mandoc/cgi.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c
index f733a2d3256..a73f7c23c7b 100644
--- a/usr.bin/mandoc/cgi.c
+++ b/usr.bin/mandoc/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.32 2014/08/08 17:17:42 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.33 2014/08/21 16:03:50 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de>
@@ -15,6 +15,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+
+#include <sys/types.h>
+#include <sys/time.h>
+
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -1025,10 +1029,23 @@ int
 main(void)
 {
 	struct req	 req;
+	struct itimerval itimer;
 	const char	*path;
 	const char	*querystring;
 	int		 i;
 
+	/* Poor man's ReDoS mitigation. */
+
+	itimer.it_value.tv_sec = 1;
+	itimer.it_value.tv_usec = 0;
+	itimer.it_interval.tv_sec = 1;
+	itimer.it_interval.tv_usec = 0;
+	if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) {
+		fprintf(stderr, "setitimer: %s\n", strerror(errno));
+		pg_error_internal();
+		return(EXIT_FAILURE);
+	}
+
 	/* Scan our run-time environment. */
 
 	if (NULL == (scriptname = getenv("SCRIPT_NAME")))
-- 
2.20.1