Control: severity -1 wishlist Control: forwarded -1 https://www.redmine.org/issues/3661
On Monday, July 6, 2026 11:48:56 PM Mountain Standard Time Charlemagne Lasse wrote: > It is well known that the Redmine PDF creation for issues is broken > and is used regularly to run DoS attacks against public Redmine > instances. https://www.redmine.org/issues/3661 The upstream bug was created 17 years ago. It only has 7 comments, and the last of them was six years ago, leading me to believe that this isn’t a significant problem for a majority of Redmine installations. > Just take a redmine tracker, append .pdf to the end of the issues and > when some of the issue doesn't immediately return a PDF, just run > wget/curl a couple of dozen times more against this URL. The server is > then gone (consuming resources and will cost you an arm+leg on a cloud > provider) and the apache/nginx proxy will just return a service outage > error ("504 gateway timed out"). > > People work around this by disabling PDF extensions in Apache: > > RewriteEngine On > # Return HTTP 403 for any URL ending in .pdf - simply because Redmine > will hang forever and endlessly consume resources for the issue PDF > creation > RewriteRule \.pdf$ - [F,L,NC] > > > But it is a DoS-able bug in Redmine which either must be fixed or it > must be disabled by default. If you think this bug is significant, I would recommend you address it by commenting on the upstream bug report. I might be persuaded to add some information to README.Debian, or perhaps an example entry in the example Apache configs, but I would like to understand better what parts of Redmine this config would break before suggesting it to users. -- Soren Stoutner [email protected]
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
