[BUG] certain requests/regex cause infinite loop

[hex2a]

the following requests/rules seem to trigger an infinite loop (calling pcre_exec) in ngx_http_process_basic_rule_buffer.

HTTP request: GET /favicon.ico%0d%0aBCC%[email protected]%0d%0afffl%3a%20b

decoded request evaluated by naxsi: /favicon.ico\r\nBCC:[email protected]\r\nfff: b

rule: BasicRule "msg:block All URLs" "rx:.*" "mz:URL" "s:$GENERIC:3" id:2000;

gdb and ltrace show that the start_offset argument for pcre_exec remains 13 (\r) and is not increased.

https://github.com/nbs-system/naxsi/blob/6a0378ee7cf0c53df719a1895717c5fa5278a660/naxsi_src/naxsi_runtime.c#L181

[buixor]

It seems to be a pcre issue no ?

[atomsnc]

This issue comes due to flag issue with pcre_compile and pcre_exec.

%0d%0a becomes /r/n when un-escaped. Newlines are not matched by pcre_exec. Hence you see start_offset stuck at 13.

PCRE_DOTALL can be added to pcre_compile rgc->options = PCRE_CASELESS|PCRE_MULTILINE|PCRE_DOTALL;

and PCRE_NOTEMPTY to pcre_exec match = pcre_exec(rl->br->rx->regex->code, 0, (const char *) str->data, str->len, tmp_idx, PCRE_NOTEMPTY, captures, 30)) >= 0

It may or may not affect your whitelisting.

Reference: https://www.pcre.org/original/doc/html/pcre_exec.html https://www.pcre.org/original/doc/html/pcre_compile.html