Last modified: 2011-09-14 23:59:27 UTC
In markup, {{#time: <mask> | <large_integer> <unit>}} where <large_integer> is de magnitude of 1E12 , when using the Preview button, the server returns the error page saying "Wikimedia Foundation - Error - Our servers are currently experiencing a technical problem ..." after 1 minute. Example: {{#time:j F| +1000000000000 days}} Expected result: immediate "Error: invalid time" (No attempt to save the page was made for security reason.) However, moderately large numbers, like 1E11 cause long delays, but successfully return "Error: invalid time" .
This actually appears to be a bug in PHP's strtotime() function; a rather nasty one. Running this: php -r "strtotime('+1000000000000 days');" causes PHP to run seemingly forever on my laptop. Unfortunately, I'm not completely sure how we'd be able to detect this consistently.
If this implies potential DoS vulnerability, this report's severity and priority status may need updating.
Indeed, this has DoS potential; I've upgraded it to "Critical." This bug recently filed in PHP's bug tracker appears to be the cause: http://bugs.php.net/bug.php?id=45822
Created attachment 5329 [details] Patch for PHP 5.x I've sent this patch to Derick Rethans, who maintains the code in question, but he hasn't applied it yet, AFAIK. I talked to him about it on IRC and didn't seem very interested. It doesn't work for PHP 6. PHP 6 has some extra features and I still need a bit of extra inspiration to reimplement them in a loop-free way.
Just did a quick feedback check with Derick. Response: no time, but not forgotten.
Derick tells me that a solution to this problem is in PHP 5.3-cvs.
Now that the crash problem is solved, PF should handle such cases sanely. Currently, for {{#time:j F| +1000000000000 days}} the output is "90 <>", which is a bit random.
Since the fix is in PHP, anyone running into this problem should run PHP 5.3+ (I trust Tim to reopen if I'm wrong.)
*** Bug 28127 has been marked as a duplicate of this bug. ***
