Page 1 of 1

Remote recursion - security flaw or just annoyance?

Posted: Wed Nov 07, 2007 3:57 am
by alex.barylski
Assume you have a section in your code which can (under rare circumstances) potentially be used to cause recursion on your server until the script times out. Is this a security flaw or something not worth worrying about?

The only reason I haven't fixed it, is because the fix is hackish in nature and the only way to prevent this exploit from happening at the code level.

Do you hack it in order to patch it up or leave it up to the system to handle these rare circumstances?

Posted: Wed Nov 07, 2007 1:41 pm
by Kieran Huggins
example?

Posted: Thu Nov 08, 2007 1:14 pm
by Mordred
I can't see how stopping a recursive function from recursing indefinitely could be "hackish". Writing end-of-recursion checks is essential part of writing recursive functions.

This sounds like a DOS precondition, and even if you think it would happen only rarely (can't say anything without seeing code) you should be open to the idea that your judgement is wrong ;) And again, if it's not trivial to fix, you're probably doing something very wrong. Fix the code or refactor the caller not to use the function.