details: http://freenginx.org/hg/nginx/rev/d9a52ebb9b00
branches:
changeset: 9236:d9a52ebb9b00
user: Maxim Dounin <mdou...@mdounin.ru>
date: Sat Mar 30 05:05:53 2024 +0300
description:
Mail: max_commands directive.
The directive specifies the maximum number of commands allowed during
authentication, after which the connection is closed. The default
limit is 1000, which is not expected to affect any well-behaving clients,
since authentication usually requires at most several commands, though
will effectively stop malicious clients from flooding the server with
with commands.
diffstat:
src/mail/ngx_mail.h | 2 ++
src/mail/ngx_mail_core_module.c | 9 +++++++++
src/mail/ngx_mail_handler.c | 12 ++++++++++++
3 files changed, 23 insertions(+), 0 deletions(-)
diffs (74 lines):
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -116,6 +116,7 @@ typedef struct {
ngx_msec_t resolver_timeout;
ngx_uint_t max_errors;
+ ngx_uint_t max_commands;
ngx_str_t server_name;
@@ -234,6 +235,7 @@ typedef struct {
ngx_array_t args;
ngx_uint_t errors;
+ ngx_uint_t commands;
ngx_uint_t login_attempt;
/* used to parse POP3/IMAP/SMTP command */
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -92,6 +92,13 @@ static ngx_command_t ngx_mail_core_comm
offsetof(ngx_mail_core_srv_conf_t, max_errors),
NULL },
+ { ngx_string("max_commands"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_core_srv_conf_t, max_commands),
+ NULL },
+
ngx_null_command
};
@@ -171,6 +178,7 @@ ngx_mail_core_create_srv_conf(ngx_conf_t
cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
cscf->max_errors = NGX_CONF_UNSET_UINT;
+ cscf->max_commands = NGX_CONF_UNSET_UINT;
cscf->resolver = NGX_CONF_UNSET_PTR;
@@ -192,6 +200,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t
30000);
ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ ngx_conf_merge_uint_value(conf->max_commands, prev->max_commands, 1000);
ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -896,6 +896,18 @@ ngx_mail_read_command(ngx_mail_session_t
return NGX_ERROR;
}
+ s->commands++;
+
+ if (s->commands > cscf->max_commands) {
+
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too many commands");
+
+ s->quit = 1;
+
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
return NGX_OK;
}
--
nginx-devel mailing list
nginx-devel@freenginx.org
https://freenginx.org/mailman/listinfo/nginx-devel
