-
Bug
-
Resolution: Fixed
-
3.0.RC7
-
None
-
PHP Environment: 5.5.0 (from SUS
Database: MySQL 4.1.13 (from S
Under some circumstances, a request from an IP address that has been banned results in a blank page displayed by the browser, instead of a page reporting that it is banned. The "blank page" is actually the result of the server closing the connection without sending any HTML.
Investigation showed that this happens if the request is not associated with an existing phpBB session. The situations where I've seen it are
(a) a request from a browser that does not have any existing/current session cookies, or
(b) where a "founder" (allowed to log in in spite of the ban) logs out, thus destroying the session state, or
(c) a logged-in founder uses the "Delete all board cookies" link
The problem is NOT seen if the browser already has phpBB session cookies when the ban is imposed, whether logged in or anonymous (as long as cases (b) or (c) above are not triggered).
How (or if) this is reported in the web server log seems to vary, e.g. I've seen all of
- not mentioned in log
- reported as e.g. "child pid 9183 exit signal Segmentation fault (11)"
- Allowed memory size of 8388608 bytes exhausted (tried to allocate 256 bytes)"
Adding some logging to session.php to track down the cause showed that the problem is infinite mutual recursion between session_create and check_ban.
session_create calls check_ban to check if the user's banned (with $return unspecified hence defaulting to false). However, if there is no existing session and $return is false, check_ban calls session_create to set up an anonymous session BEFORE it defines IN_CHECK_BAN, with the result that when session_create calls check_ban (to check the ban status for the session it's been asked to create) the same thing happens, repeatedly, until the available memory is exhausted (with chance variation in when running out of memory is detected and reported).
A brief attempt at finding a solution avoided the infinite recursion, but only at the expense of breaking the ban (it displayed the ban page, but reloading that page got the underlying "real" page) - so I'll have to leave identifying the correct solution to the experts.