Control: severity -1 wishlist
Control: forwarded -1 https://www.redmine.org/issues/3661

On Monday, July 6, 2026 11:48:56 PM Mountain Standard Time Charlemagne Lasse 
wrote:
> It is well known that the Redmine PDF creation for issues is broken
> and is used regularly to run DoS attacks against public Redmine
> instances. https://www.redmine.org/issues/3661

The upstream bug was created 17 years ago.  It only has 7 comments, and the 
last of them was six years ago, leading me to believe that this isn’t a 
significant problem for a majority of Redmine installations.
 
> Just take a redmine tracker, append .pdf to the end of the issues and
> when some of the issue doesn't immediately return a PDF, just run
> wget/curl a couple of dozen times more against this URL. The server is
> then gone (consuming resources and will cost you an arm+leg on a cloud
> provider) and the apache/nginx proxy will just return a service outage
> error ("504 gateway timed out").
> 
> People work around this by disabling PDF extensions in Apache:
> 
> RewriteEngine On
> # Return HTTP 403 for any URL ending in .pdf - simply because Redmine
> will hang forever and endlessly consume resources for the issue PDF
> creation
> RewriteRule \.pdf$ - [F,L,NC]
> 
> 
> But it is a DoS-able bug in Redmine which either must be fixed or it
> must be disabled by default.

If you think this bug is significant, I would recommend you address it by 
commenting on the upstream bug report.

I might be persuaded to add some information to README.Debian, or perhaps an 
example entry in the example Apache configs, but I would like to understand 
better what parts of Redmine this config would break before suggesting it to 
users.

-- 
Soren Stoutner
[email protected]

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to