[wp-trac] Re: [WordPress Trac] #4137: Pingback Denial of Service possibility

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 4 15:26:53 GMT 2007

#4137: Pingback Denial of Service possibility
 Reporter:  foobarwp12                                                   |        Owner:  pishmishy  
     Type:  defect                                                       |       Status:  assigned   
 Priority:  high                                                         |    Milestone:  2.3 (trunk)
Component:  Security                                                     |      Version:  2.1.3      
 Severity:  normal                                                       |   Resolution:             
 Keywords:  xmlrpc ddos possibility has-patch 2nd-opinion needs-testing  |  
Comment (by Otto42):

 You may want to set the CURLOPT_RANGE parameter as well. On servers that
 support it (HTTP 1.1, some FTP's), it will limit the server to only
 returning the amount of data you want. On those that don't support it, it
 won't have any effect.

 I would also suggest setting CURLOPT_BUFFERSIZE (only for PHP5 and up) to
 some value like 4096 or something. I think the default action of curl in
 the way you're using it will simply retrieve the whole page and return it
 to your read function as a single string, or as some really large buffer
 or something.

 Using a CURLOPT_TIMEOUT of some value, like 30-60 seconds, would also
 limit the impact from this sort of thing.

 Essentially, there's no certain way to make curl stop retrieving data. But
 these would at least help.

Ticket URL: <http://trac.wordpress.org/ticket/4137#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list