Page MenuHomePhabricator
Create Task
Maniphest T130947

Diff generation should use PoolCounter
Closed, ResolvedPublic
Actions

Description

Example diff: https://en.wikipedia.org/w/index.php?title=User:Jane023/Paintings_in_the_Hermitage&diff=711865027&oldid=709806317
It takes 69 freaking seconds to render even with wikidiff2! Looking at logs, a user was waiting for it to generate for a few seconds, then tried again, resulting in two diffs being generated concurrently. This is a DoS vector, and we need to take measures to avoid having all servers render the same diff. At least diff results are cached so an attacker would need to switch between diffs to produce a long outage.

Related Objects
Search...

Event Timeline

MaxSem created this task.Mar 25 2016, 6:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 25 2016, 6:03 PM
matmarex added projects: Vuln-DoS, PoolCounter, MediaWiki-Page-diffs, Performance Issue.Mar 25 2016, 8:29 PM
matmarex removed subscribers: Vuln-DoS, PoolCounter, MediaWiki-Page-diffs, Performance Issue.
greg subscribed.Mar 25 2016, 8:43 PM
MaxSem added a comment.Mar 25 2016, 10:51 PM

T130947.patch1 KBDownload

dpatrick triaged this task as Low priority.Mar 29 2016, 9:02 PM
Bawolff subscribed.Mar 29 2016, 9:15 PM
In T130947#2152392, @MaxSem wrote:

T130947.patch1 KBDownload

Looks good to me.

dpatrick added a project: Patch-For-Review.Mar 29 2016, 9:55 PM
Bawolff added a comment.Apr 5 2016, 12:30 AM

However, the error reporting for this patch isn't very good. Even something as simple as

'error' => function( $status ) { throw new FatalError( $status->getWikiText() ); } ]

for the error callback of PoolCounterDoWork would probably be ok if we don't expect errors to happen very often.

Bawolff added a comment.Apr 12 2016, 8:57 PM

To that end, here's an alternative version:

Use pool counter for gen diffs with better error handling2 KBDownload

MaxSem added a comment.Apr 18 2016, 11:27 PM
In T130947#2200959, @Bawolff wrote:

To that end, here's an alternative version:

Use pool counter for gen diffs with better error handling2 KBDownload

LGTM, let's deploy it.

csteipp subscribed.Apr 19 2016, 12:48 AM
In T130947#2216252, @MaxSem wrote:
In T130947#2200959, @Bawolff wrote:

To that end, here's an alternative version:

Use pool counter for gen diffs with better error handling2 KBDownload

LGTM, let's deploy it.

Cool. Assuming things go smoothly with the DC transition, I'll probably deploy this tomorrow afternoon.

MaxSem added a parent task: T124940: MediaWiki 1.26.3 security release.Apr 25 2016, 7:08 PM
MaxSem mentioned this in T124940: MediaWiki 1.26.3 security release.
csteipp closed this task as Resolved.May 5 2016, 6:24 PM
csteipp claimed this task.

Patch is now deployed.

18:23 csteipp: deployed patch for T130947

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:28 PM
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:28 PM
Aklapper added a project: MediaWiki-Page-history.Sep 20 2019, 7:48 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL