Page MenuHomePhabricator
Create Task
Maniphest T164869

Rate limiter (pingLimiter) in combination with XCache never expires (users get locked out)
Closed, DeclinedPublic
Actions

Description

In User::pingLimiter, when adding a cache entry for the rate limit, MediaWiki first adds an entry with an expiration: $cache->add( $key, 0, intval( $period ) ); // first ping than calls
$cache->incr( $key, $incrBy ); to increment the rate limit value.

XCache has some arguably buggy / unexpected behavior in this case: if a variable is added with a TTL and then incremented, the original TTL is lost. The TTL is set to either the parameter passed to xcache_inc (not done in Mediawiki) or the xcache default. This causes rate limiting to take much longer than expected or potentially never expire if using XCache defaults, locking users out when they hit rate limit thresholds. This was tested with the latest public release of XCache (3.2.0) and MediaWiki 1.28.2.

Related Objects

Event Timeline

R1CH created this task.May 9 2017, 8:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 9 2017, 8:36 PM
R1CH added a comment.May 10 2017, 2:40 PM

T59973 seems to experience the same issue with another part of the code.

Krinkle renamed this task from Rate limiter in combination with XCache doesn't expire properly, locking users out to Rate limiter (pingLimiter) in combination with XCache never expires (users get locked out).Jul 6 2017, 4:21 AM
Krinkle added a project: MediaWiki-User-management.
Krinkle updated the task description. (Show Details)
Krinkle merged a task: T59973: wgPasswordAttemptThrottle doesn't expire with xcache.
Krinkle moved this task from General to libs/objectcache on the MediaWiki-libs-BagOStuff board.
Krinkle added subscribers: bzimport, wikibugs-l-list.
TBolliger moved this task from Backlog to Other on the MediaWiki-User-management board.Mar 21 2018, 9:46 PM
MaxSem subscribed.Mar 22 2018, 8:18 PM

I would argue that this bug makes XCache incompatible with MW. Do we have a maintainer for it?

Krinkle closed this task as Declined.Jun 7 2020, 2:48 AM
Krinkle subscribed.

Indeed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL