The file sources/http.php had a DOS loop attack prevention mechanism that was ineffective, leaving the HttpDownloader vulnerable to DOS loop attacks.

The mechanism was to set the internal ua to Composr-recurse so that if the user agent ever came back as such, HttpDownloader would exit. However, Composr-recurse was being set on an unused local variable instead of the class' actual user agent (ua) variable. This made the prevention ineffective.

The fix is outlined in Security fix for MANTIS-5737 (Fix ineffective DOS loop attack prevention) (4a5223f8) · Commits · Composr ecosystem / Composr · GitLab. Simply edit sources/http.php, and on line 420 (smoke em if you got em), change $ua to $this->ua .

Normally, a patch would be released with this fix immediately. However, since we are still in alpha, and since this fix is very easy to do, we are not following the full security protocol at this time. We have recommended not to run v11 alpha in production unless you really know what you are doing.

This fix will be included in 11 alpha3, but this release is still several days away at least.

This issue does NOT affect v10.