Excessively large offset specified in {{#time:}} causes timeout
Closed, ResolvedPublic

Description

Author: ed.nr.drie

Description:
In markup, {{#time: <mask> | <large_integer> <unit>}} where <large_integer> is de magnitude of 1E12 , when using the Preview button, the server returns the error page saying
"Wikimedia Foundation - Error - Our servers are currently experiencing a technical problem ..." after 1 minute.
Example: {{#time:j F| +1000000000000 days}}
Expected result: immediate "Error: invalid time"
(No attempt to save the page was made for security reason.)

However, moderately large numbers, like 1E11 cause long delays, but successfully return "Error: invalid time" .


Version: unspecified
Severity: major

Details

Reference
bz14898
bzimport created this task.Jul 23 2008, 4:05 PM

fran wrote:

This actually appears to be a bug in PHP's strtotime() function; a rather nasty one. Running this:

php -r "strtotime('+1000000000000 days');"

causes PHP to run seemingly forever on my laptop. Unfortunately, I'm not completely sure how we'd be able to detect this consistently.

ed.nr.drie wrote:

If this implies potential DoS vulnerability, this report's severity and priority status may need updating.

fran wrote:

Indeed, this has DoS potential; I've upgraded it to "Critical."

This bug recently filed in PHP's bug tracker appears to be the cause:
http://bugs.php.net/bug.php?id=45822

Created attachment 5329
Patch for PHP 5.x

I've sent this patch to Derick Rethans, who maintains the code in question, but he hasn't applied it yet, AFAIK. I talked to him about it on IRC and didn't seem very interested. It doesn't work for PHP 6. PHP 6 has some extra features and I still need a bit of extra inspiration to reimplement them in a loop-free way.

Attached: fast_do_normalize.patch

Just did a quick feedback check with Derick. Response: no time, but not forgotten.

Derick tells me that a solution to this problem is in PHP 5.3-cvs.

Now that the crash problem is solved, PF should handle such cases sanely. Currently, for {{#time:j F| +1000000000000 days}} the output is "90 <>", which is a bit random.

Since the fix is in PHP, anyone running into this problem should run PHP 5.3+ (I trust Tim to reopen if I'm wrong.)

  • Bug 28127 has been marked as a duplicate of this bug. ***

Add Comment