Permalink
Browse files

v1.3.19 - add timeout for complete header read

In order to fight the slow http header Denial of Service attack
there is now a parameter to control the maximum amount of time
AllegroServe will spend reading the headers of a request

Are there user-visible changes that require documentation?  yes
 I'll file a documentation bug with the details about the new
 variable and method

Change-Id: Ib79e7b002877b8918ac8e2b031a4ac61cc092451
  • Loading branch information...
John Foderaro
John Foderaro committed Jan 7, 2013
1 parent 108cf59 commit 0759bec4ecb5e369b20f741e7edbd5ce2241fea5
Showing with 19 additions and 5 deletions.
  1. +17 −5 main.cl
  2. +2 −0 packages.cl
View
22 main.cl
@@ -38,7 +38,7 @@
#+ignore
(check-smp-consistency)
-(defparameter *aserve-version* '(1 3 18))
+(defparameter *aserve-version* '(1 3 19))
(eval-when (eval load)
(require :sock)
@@ -413,6 +413,8 @@ will be logged with one log entry per line in some cases.")
(defvar *read-request-timeout* 20)
(defvar *read-request-body-timeout* 60)
+(defvar *http-header-read-timeout* 60) ; seconds for complete header read
+
(defvar *http-response-timeout*
#+io-timeout 300 ; 5 minutes for timeout if we support i/o timeouts
#-io-timeout 120 ; 2 minutes if we use this for i/o timeouts too.
@@ -560,7 +562,13 @@ will be logged with one log entry per line in some cases.")
:initarg :io-timeout
:initform *http-io-timeout*
:accessor wserver-io-timeout)
-
+
+ (header-read-timeout
+ ;; max time to read headers
+ :initarg :header-read-timeout
+ :initform *http-header-read-timeout*
+ :accessor wserver-header-read-timeout)
+
;;
;; -- internal slots --
;;
@@ -1750,12 +1758,16 @@ by keyword symbols and not by strings"
;; get first command
(loop
- (multiple-value-setq (req error-obj)
- (ignore-errors
+ (multiple-value-setq (req error-obj)
+ (ignore-errors
+ (mp:with-timeout ((wserver-header-read-timeout *wserver*)
+ (debug-format :info "total header read timeout")
+ (return-from process-connection nil))
+
(with-timeout-local ((wserver-read-request-timeout *wserver*)
(debug-format :info "request timed out on read")
(return-from process-connection nil))
- (read-http-request sock chars-seen))))
+ (read-http-request sock chars-seen)))))
(if* (null req)
then ; end of file, means do nothing
View
@@ -200,6 +200,7 @@ without compression. Original error loading deflate was:~:@>~%~a~%" c)
#:wserver-enable-keep-alive
#:wserver-external-format
#:wserver-filters
+ #:wserver-header-read-timeout
#:wserver-locators
#:wserver-io-timeout
#:wserver-log-function
@@ -211,6 +212,7 @@ without compression. Original error loading deflate was:~:@>~%~a~%" c)
#:*aserve-version*
#:*default-aserve-external-format*
+ #:*http-header-read-timeout*
#:*http-io-timeout*
#:*http-response-timeout*
#:*mime-types*

0 comments on commit 0759bec

Please sign in to comment.