mirror of
git://git.proxmox.com/git/pve-http-server.git
synced 2025-01-20 14:03:47 +03:00
e6bd383f86
Avoids syslog/journal warning like:
> Use of uninitialized value $v in substitution (s///) at
> /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 648.
If one passes a "value-less" GET argument to a request, e.g.,
GET /?debug
Besides the fact that this allows us to even use such arguments it
also is a general improvement against a slight "syslog DOS attack",
because anybody can pass such parameters to the '/' page, and all
proxmox daemons providing a API/UI using libpve-http-server-perl
allow to do such requests unauthenticated (which itself is OK, as
else one could not show the login window at all). As each of such
request produces two log lines in the syslog/journal it's far from
ideal.
A simple reproducer of the possible outcome can be seen with the
following shell script using curl:
> PVEURL='127.0.0.1'
> ARGS='?a'; # send multiple args at once to amplify the per-connection cost
> for c in {a..z}; do for i in {0..9}; do ARGS="$ARGS&$c$i"; done; done
> while true; do curl --insecure --silent --output /dev/null "https://$PVEURL:8006$ARGS"; done
Not really bad, but not nice either, as logging is not too cheap this
has some resource usage cost and noise in the syslog is never nice.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
(cherry picked from commit 4a09623bbdb4306ca00685a0f80ce6f05fa42f3b)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>