Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-13138

Banned users cause infinite recursion

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 3.0.13-RC1, 3.1.0-RC6
    • 3.0.12
    • Authentication, Sessions
    • None
    • PHP 5.4.4, MySQL 5.5.38, Linux 3.13.0, Debian Wheezy, FastCGI mode, any browser.

      I find that banned users trying to visit my forum (running phpBB 3.0.12) cause infinite recursion, causing the page to crash (after having consumed many a CPU second). The recursion loop looks as follows:

      session_begin at session.php:476
      session_create at session.php:657
      check_ban at session.php:1188
      session_kill at session.php:933
      session_create at session.php:657
      check_ban at session.php:1188
      session_kill at session.php:933
      ...

      I suspect the cause of this is that the return value of the auth module's autologin function overrides the wish of session_kill() to create an ANONYMOUS session.

      As long as the contract of the autologin function as described at <https://wiki.phpbb.com/Authentication_plugins#autologin_method> is to be considered reasonably correct, this seems like a bug, no? No particular particular behavior seems to be described at that page that the autologin function should implement to ensure that bans work correctly.

        1. auth_haven.php
          2 kB
          Dolda2000 [X]
        2. session.patch
          3 kB
          Dolda2000 [X]

            nickvergessen Joas Schilling
            Dolda2000 Dolda2000 [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: