Page MenuHomePhabricator

"action=history&feed=" is an easy target for DOS attack
Closed, ResolvedPublic

Description

Hi,

requesting URLs like http://en.wikipedia.org/w/index.php?title=Cat&action=history&feed=rss is an easy way of DOS-attacking a small MediaWiki website. These requests are quite heavy (diff generation for N revisions, with fetching all those revisions from DB?), have no captcha (because RSS readers don't support that), and since legitimate users almost never use them, they result in a cache miss.

Please make a configuration option to disable this "feature". $wgFeed is not good enough: RSS is quite useful for Recentchanges/Newpages, we don't want to disable those.


Version: 1.22.0
Severity: normal

Details

Reference
bz50886

Event Timeline

bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz50886.

Hm, I was going to recommend setting $wgFeedLimit to a lower value ([[mw:Manual:$wgFeedLimit]]), but apparently the implementation for HistoryAction is broken and enforces a minimal maximum of 10 diffs. I'll submit a patch to fix that.

Change 72372 had a related patch set uploaded by Matmarex:
Correctly use $wgFeedLimit in page history feed

https://gerrit.wikimedia.org/r/72372

Change 72372 merged by jenkins-bot:
Correctly use $wgFeedLimit in page history feed

https://gerrit.wikimedia.org/r/72372

This is now fixed in master. You can now set $wgFeedLimit = 1; to make history feed generation no more expensive than viewing a regular diff.