Last modified: 2013-04-02 00:00:35 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T28063, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 26063 - Upload Stash API allows some kinds of resource exhaustion
Upload Stash API allows some kinds of resource exhaustion
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
UploadWizard (Other open bugs)
unspecified
All All
: Low normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-22 23:16 UTC by Neil Kandalgaonkar
Modified: 2013-04-02 00:00 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Neil Kandalgaonkar 2010-11-22 23:16:07 UTC
It is possible to mount an attack on the server by using UploadStash to:

- upload zillions of small files (# of files per directory)
- upload many very large files (disk usage)


Expiry can't happen in less than a few hours since it may actually take that amount of time to upload some large videos.

Not easy to do this just by examining the file system, since temp files are hashed up in directories, and aren't associated with a user or IP.


Simple solution:

- simple crontabs on the server to clean up temp files with a reasonable time frame like anything older than 3 days

- guard methods on the UploadStash object to cycle out a user's old objects when they have more than 100 abandoned temp files, or more than 100 total MB
Comment 1 Neil Kandalgaonkar 2011-03-22 18:31:08 UTC
Asked Roan for comments -- Roan notes that a global limit would be a better guard against DOS. The worst case scenario is then files would be cycled out too quickly.
Comment 2 Neil Kandalgaonkar 2011-04-05 23:45:03 UTC
Decided this is not a blocker for UploadWizard, but it is a general API bug
Comment 3 Mark A. Hershberger 2011-04-18 21:55:24 UTC
Some sort of garbage collection could handle this in MW or a cron
script
Comment 4 Bugmeister Bot 2011-08-19 19:12:35 UTC
Unassigning default assignments. http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/54734
Comment 5 Aaron Schulz 2013-04-02 00:00:35 UTC
Weekly cron has been running for months now.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links