Excessively large offset specified in {{#time:}} causes timeout
Closed, ResolvedPublic

Description

Author: ed.nr.drie

Description:
In markup, {{#time: <mask> | <large_integer> <unit>}} where <large_integer> is de magnitude of 1E12 , when using the Preview button, the server returns the error page saying
"Wikimedia Foundation - Error - Our servers are currently experiencing a technical problem ..." after 1 minute.
Example: {{#time:j F| +1000000000000 days}}
Expected result: immediate "Error: invalid time"
(No attempt to save the page was made for security reason.)

However, moderately large numbers, like 1E11 cause long delays, but successfully return "Error: invalid time" .


Version: unspecified
Severity: major

bzimport set Reference to bz14898.
bzimport created this task.Via LegacyJul 23 2008, 4:05 PM
bzimport added a comment.Via ConduitAug 20 2008, 5:43 AM

fran wrote:

This actually appears to be a bug in PHP's strtotime() function; a rather nasty one. Running this:

php -r "strtotime('+1000000000000 days');"

causes PHP to run seemingly forever on my laptop. Unfortunately, I'm not completely sure how we'd be able to detect this consistently.

bzimport added a comment.Via ConduitAug 20 2008, 10:31 AM

ed.nr.drie wrote:

If this implies potential DoS vulnerability, this report's severity and priority status may need updating.

bzimport added a comment.Via ConduitAug 20 2008, 7:12 PM

fran wrote:

Indeed, this has DoS potential; I've upgraded it to "Critical."

This bug recently filed in PHP's bug tracker appears to be the cause:
http://bugs.php.net/bug.php?id=45822

tstarling added a comment.Via ConduitSep 13 2008, 12:56 PM

Created attachment 5329
Patch for PHP 5.x

I've sent this patch to Derick Rethans, who maintains the code in question, but he hasn't applied it yet, AFAIK. I talked to him about it on IRC and didn't seem very interested. It doesn't work for PHP 6. PHP 6 has some extra features and I still need a bit of extra inspiration to reimplement them in a loop-free way.

Attached: fast_do_normalize.patch

siebrand added a comment.Via ConduitNov 2 2008, 9:47 PM

Just did a quick feedback check with Derick. Response: no time, but not forgotten.

tstarling added a comment.Via ConduitMay 12 2009, 6:10 AM

Derick tells me that a solution to this problem is in PHP 5.3-cvs.

MaxSem added a comment.Via ConduitMay 29 2010, 12:43 PM

Now that the crash problem is solved, PF should handle such cases sanely. Currently, for {{#time:j F| +1000000000000 days}} the output is "90 <>", which is a bit random.

MarkAHershberger added a comment.Via ConduitMar 19 2011, 3:05 AM

Since the fix is in PHP, anyone running into this problem should run PHP 5.3+ (I trust Tim to reopen if I'm wrong.)

brion added a comment.Via ConduitSep 14 2011, 11:59 PM
  • Bug 28127 has been marked as a duplicate of this bug. ***

Add Comment