Page MenuHomePhabricator

"action=history&feed=" is an easy target for DOS attack
Closed, ResolvedPublic



requesting URLs like is an easy way of DOS-attacking a small MediaWiki website. These requests are quite heavy (diff generation for N revisions, with fetching all those revisions from DB?), have no captcha (because RSS readers don't support that), and since legitimate users almost never use them, they result in a cache miss.

Please make a configuration option to disable this "feature". $wgFeed is not good enough: RSS is quite useful for Recentchanges/Newpages, we don't want to disable those.

Version: 1.22.0
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:53 AM
bzimport set Reference to bz50886.

Hm, I was going to recommend setting $wgFeedLimit to a lower value ([[mw:Manual:$wgFeedLimit]]), but apparently the implementation for HistoryAction is broken and enforces a minimal maximum of 10 diffs. I'll submit a patch to fix that.

Change 72372 had a related patch set uploaded by Matmarex:
Correctly use $wgFeedLimit in page history feed

Change 72372 merged by jenkins-bot:
Correctly use $wgFeedLimit in page history feed

This is now fixed in master. You can now set $wgFeedLimit = 1; to make history feed generation no more expensive than viewing a regular diff.