Bug 17462 - Prevent mod_rewrite from deadlooping
Summary: Prevent mod_rewrite from deadlooping
Alias: None
Product: Apache httpd-1.3
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: HEAD
Hardware: PC Linux
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2003-02-27 04:50 UTC by Dario Gomes
Modified: 2004-11-16 19:05 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Dario Gomes 2003-02-27 04:50:00 UTC
The following code on an .htaccess file

RewriteEngine On
RewriteBase /
RewriteRule ^(.*) /index.html

can get the httpd process REALLY busy. Just place it in the main directory, but 
it'll work in a subdirectory, in which case change the last line to

RewriteRule ^(.*) /subdir/index.html

The file index.html SHOULD NOT exist. Then call




and the browser window won't stop loading. On the server side, you'll get a 
pretty nasty httpd process using up a whole lot of CPU and memory. And if the 
URL is called a bunch of times, the server can lock up!

I did not experience the bug on Apache 2.0.40 (Red Hat 8.0 RPM install), only 
on 1.3.27, both compiled by hand and RH 7.3 RPM install.

-Dario Gomes
Comment 1 André Malo 2003-02-27 11:27:08 UTC
he, you'll need a better system that finishs this endless loop under one minute ;-)

It's a known issue. You're simply creating an endless loop of internal
redirects. Thatswhy you already should test your rules before putting them on a
production server.

However, I'm changing this to an Enhancement request. We should be able to set a
configurable limit of maximum redirects issued by mod_rewrite.

Thanks for using Apache!
Comment 2 Dario Gomes 2003-02-27 13:44:05 UTC
The problem is I run a shared hosting server, and I have no control of the 
rules my users put on their sites... I got the server locked up two times 
before I found the source of the problem!

Why doesn't this bug affect Apache 2.0.4x? Maybe they've worked out this issue 

Comment 3 André Malo 2003-03-01 20:32:17 UTC
In 2.0 the trick doesn't work with your ruleset, because of a different
behaviour of mod_dir. You can crash the server, for example, with the following
in a htaccess file (in docroot):

RewriteEngine On
RewriteBase /
RewriteRule (.*) / [L]

However, a configurable limit was introduced in 2.1 and is proposed for backport.
Comment 4 André Malo 2003-03-19 15:52:16 UTC
FYI: The enhancement will appear in the next releases (1.3.28 and 2.0.45).