Last modified: 2013-07-11 15:23:04 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T52886, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 50886 - "action=history&feed=" is an easy target for DOS attack


Summary:	"action=history&feed=" is an easy target for DOS attack

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	History/Diffs (Other open bugs)
Version:	1.22.0
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	Bartosz Dziewoński

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-07-07 12:43 UTC by Edward Chernenko
Modified:	2013-07-11 15:23 UTC (History)
CC List:	1 user (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Edward Chernenko 2013-07-07 12:43:54 UTC

Hi,

requesting URLs like http://en.wikipedia.org/w/index.php?title=Cat&action=history&feed=rss is an easy way of DOS-attacking a small MediaWiki website. These requests are quite heavy (diff generation for N revisions, with fetching all those revisions from DB?), have no captcha (because RSS readers don't support that), and since legitimate users almost never use them, they result in a cache miss.

Please make a configuration option to disable this "feature". $wgFeed is not good enough: RSS is quite useful for Recentchanges/Newpages, we don't want to disable those.

Comment 1 Bartosz Dziewoński 2013-07-07 12:55:51 UTC

Hm, I was going to recommend setting $wgFeedLimit to a lower value ([[mw:Manual:$wgFeedLimit]]), but apparently the implementation for HistoryAction is broken and enforces a minimal maximum of 10 diffs. I'll submit a patch to fix that.

Comment 2 Gerrit Notification Bot 2013-07-07 18:40:34 UTC

Change 72372 had a related patch set uploaded by Matmarex:
Correctly use $wgFeedLimit in page history feed

https://gerrit.wikimedia.org/r/72372

Comment 3 Gerrit Notification Bot 2013-07-11 14:58:21 UTC

Change 72372 merged by jenkins-bot:
Correctly use $wgFeedLimit in page history feed

https://gerrit.wikimedia.org/r/72372

Comment 4 Bartosz Dziewoński 2013-07-11 15:23:04 UTC

This is now fixed in master. You can now set $wgFeedLimit = 1; to make history feed generation no more expensive than viewing a regular diff.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links