Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15403310
D19547.id46736.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
1 KB
Referenced Files
None
Subscribers
None
D19547.id46736.diff
View Options
diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -54,7 +54,16 @@
public function getContentIterator() {
- return array($this->buildResponseString());
+ // By default, make sure responses are truly returning a string, not some
+ // kind of object that behaves like a string.
+
+ // We're going to remove the execution time limit before dumping the
+ // response into the sink, and want any rendering that's going to occur
+ // to happen BEFORE we get release the limit.
+
+ return array(
+ (string)$this->buildResponseString(),
+ );
}
public function buildResponseString() {
diff --git a/src/aphront/sink/AphrontHTTPSink.php b/src/aphront/sink/AphrontHTTPSink.php
--- a/src/aphront/sink/AphrontHTTPSink.php
+++ b/src/aphront/sink/AphrontHTTPSink.php
@@ -112,6 +112,23 @@
$response->getHTTPResponseMessage());
$this->writeHeaders($all_headers);
+ // Allow clients an unlimited amount of time to download the response.
+
+ // This allows clients to perform a "slow loris" attack, where they
+ // download a large response very slowly to tie up process slots. However,
+ // concurrent connection limits and "RequestReadTimeout" already prevent
+ // this attack. We could add our own minimum download rate here if we want
+ // to make this easier to configure eventually.
+
+ // For normal page responses, we've fully rendered the page into a string
+ // already so all that's left is writing it to the client.
+
+ // For unusual responses (like large file downloads) we may still be doing
+ // some meaningful work, but in theory that work is intrinsic to streaming
+ // the response.
+
+ set_time_limit(0);
+
$abort = false;
foreach ($data as $block) {
if (!$this->isWritable()) {
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Mar 19, 2:44 AM (4 d, 54 m ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7710705
Default Alt Text
D19547.id46736.diff (1 KB)
Attached To
Mode
D19547: Remove the execution time limit (if any) before sinking HTTP responses
Attached
Detach File
Event Timeline
Log In to Comment