我知道我可以通过设置以下规则来解决这个问题:
SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000
但是,这些规则究竟在做什么? PCRE限制递归设置为150,000意味着什么?通过设置如此之高,我允许通过哪些安全漏洞?递归和限制意味着什么?
我知道有文档,但文档实际上并没有告诉我发生了什么,它只是告诉我如何使用指令.
The match_limit field provides a means of preventing PCRE from using
up a vast amount of resources when running patterns that are not going
to match,but which have a very large number of possibilities in their
search trees. The classic example is the use of nested unlimited
repeats.Internally,PCRE uses a function called match() which it
calls repeatedly (sometimes recursively). The limit set by match_limit
is imposed on the number of times this function is called during a
match,which has the effect of limiting the amount of backtracking
that can take place. For patterns that are not anchored,the count
restarts from zero for each position in the subject string.The
default value for the limit can be set when PCRE is built; the default
default is 10 million,which handles all but the most extreme cases.
You can override the default by suppling pcre_exec() with a pcre_extra
block in which match_limit is set,and PCRE_EXTRA_MATCH_LIMIT is set
in the flags field. If the limit is exceeded,pcre_exec() returns
PCRE_ERROR_MATCHLIMIT.The match_limit_recursion field is similar to
match_limit,but instead of limiting the total number of times that
match() is called,it limits the depth of recursion. The recursion
depth is a smaller number than the total number of calls,because not
all calls to match() are recursive. This limit is of use only if it is
set smaller than match_limit.
由于PCRE库内置默认值为10000000,我的猜测是建议为mod_security设置较低的设置,以防止请求被长时间保留.