Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13138

Banned users cause infinite recursion

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.12
    • Fix Version/s: 3.0.13-RC1, 3.1.0-RC6
    • Component/s: Authentication, Sessions
    • Labels:
      None
    • Environment:
      PHP 5.4.4, MySQL 5.5.38, Linux 3.13.0, Debian Wheezy, FastCGI mode, any browser.

      Description

      I find that banned users trying to visit my forum (running phpBB 3.0.12) cause infinite recursion, causing the page to crash (after having consumed many a CPU second). The recursion loop looks as follows:

      session_begin at session.php:476
      session_create at session.php:657
      check_ban at session.php:1188
      session_kill at session.php:933
      session_create at session.php:657
      check_ban at session.php:1188
      session_kill at session.php:933
      ...

      I suspect the cause of this is that the return value of the auth module's autologin function overrides the wish of session_kill() to create an ANONYMOUS session.

      As long as the contract of the autologin function as described at <https://wiki.phpbb.com/Authentication_plugins#autologin_method> is to be considered reasonably correct, this seems like a bug, no? No particular particular behavior seems to be described at that page that the autologin function should implement to ensure that bans work correctly.

      1. auth_haven.php
        2 kB
        Dolda2000
      2. session.patch
        3 kB
        Dolda2000

        Issue Links

          Activity

          Hide
          Dolda2000 Dolda2000 added a comment -

          Which was the fix you just merged? If you're referring to <https://github.com/phpbb/phpbb/pull/3040>, it seems to contain an absolutely huge number of (unrelated) commits. Sorry for not being familiar with this bug tracker.

          Show
          Dolda2000 Dolda2000 added a comment - Which was the fix you just merged? If you're referring to < https://github.com/phpbb/phpbb/pull/3040 >, it seems to contain an absolutely huge number of (unrelated) commits. Sorry for not being familiar with this bug tracker.
          Show
          bantu Andreas Fischer added a comment - https://github.com/phpbb/phpbb/pull/3039
          Hide
          Dolda2000 Dolda2000 added a comment -

          Thank you.

          That fix does seem to work. I must admit I'm concerned about that new if(!$bot) test, however. Should autologin really stop working just because the user happens to use a bot-like user-agent?

          Show
          Dolda2000 Dolda2000 added a comment - Thank you. That fix does seem to work. I must admit I'm concerned about that new if(!$bot) test, however. Should autologin really stop working just because the user happens to use a bot-like user-agent?
          Hide
          DavidIQ David Colón added a comment -

          A user that would do that would have other problems, not just with autologin. They wouldn't be able to post for instance and would have a hard time logging in to begin with.

          Show
          DavidIQ David Colón added a comment - A user that would do that would have other problems, not just with autologin. They wouldn't be able to post for instance and would have a hard time logging in to begin with.
          Hide
          Dolda2000 Dolda2000 added a comment -

          Fine, then.

          Show
          Dolda2000 Dolda2000 added a comment - Fine, then.

            People

            • Assignee:
              nickvergessen Joas Schilling
              Reporter:
              Dolda2000 Dolda2000
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development