Excessively large offset specified in {{#time:}} causes timeout
Closed, ResolvedPublic


Author: ed.nr.drie

In markup, {{#time: <mask> | <large_integer> <unit>}} where <large_integer> is de magnitude of 1E12 , when using the Preview button, the server returns the error page saying
"Wikimedia Foundation - Error - Our servers are currently experiencing a technical problem ..." after 1 minute.
Example: {{#time:j F| +1000000000000 days}}
Expected result: immediate "Error: invalid time"
(No attempt to save the page was made for security reason.)

However, moderately large numbers, like 1E11 cause long delays, but successfully return "Error: invalid time" .

Version: unspecified
Severity: major

bzimport set Reference to bz14898.
bzimport created this task.Via LegacyJul 23 2008, 4:05 PM
bzimport added a comment.Via ConduitAug 20 2008, 5:43 AM

fran wrote:

This actually appears to be a bug in PHP's strtotime() function; a rather nasty one. Running this:

php -r "strtotime('+1000000000000 days');"

causes PHP to run seemingly forever on my laptop. Unfortunately, I'm not completely sure how we'd be able to detect this consistently.

bzimport added a comment.Via ConduitAug 20 2008, 10:31 AM

ed.nr.drie wrote:

If this implies potential DoS vulnerability, this report's severity and priority status may need updating.

bzimport added a comment.Via ConduitAug 20 2008, 7:12 PM

fran wrote:

Indeed, this has DoS potential; I've upgraded it to "Critical."

This bug recently filed in PHP's bug tracker appears to be the cause:

tstarling added a comment.Via ConduitSep 13 2008, 12:56 PM

Created attachment 5329
Patch for PHP 5.x

I've sent this patch to Derick Rethans, who maintains the code in question, but he hasn't applied it yet, AFAIK. I talked to him about it on IRC and didn't seem very interested. It doesn't work for PHP 6. PHP 6 has some extra features and I still need a bit of extra inspiration to reimplement them in a loop-free way.

Attached: fast_do_normalize.patch

siebrand added a comment.Via ConduitNov 2 2008, 9:47 PM

Just did a quick feedback check with Derick. Response: no time, but not forgotten.

tstarling added a comment.Via ConduitMay 12 2009, 6:10 AM

Derick tells me that a solution to this problem is in PHP 5.3-cvs.

MaxSem added a comment.Via ConduitMay 29 2010, 12:43 PM

Now that the crash problem is solved, PF should handle such cases sanely. Currently, for {{#time:j F| +1000000000000 days}} the output is "90 <>", which is a bit random.

MarkAHershberger added a comment.Via ConduitMar 19 2011, 3:05 AM

Since the fix is in PHP, anyone running into this problem should run PHP 5.3+ (I trust Tim to reopen if I'm wrong.)

brion added a comment.Via ConduitSep 14 2011, 11:59 PM
  • Bug 28127 has been marked as a duplicate of this bug. ***

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.