Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13138

Banned users cause infinite recursion

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.12
    • Fix Version/s: 3.0.13-RC1, 3.1.0-RC6
    • Component/s: Authentication, Sessions
    • Labels:
      None
    • Environment:
      PHP 5.4.4, MySQL 5.5.38, Linux 3.13.0, Debian Wheezy, FastCGI mode, any browser.

      Description

      I find that banned users trying to visit my forum (running phpBB 3.0.12) cause infinite recursion, causing the page to crash (after having consumed many a CPU second). The recursion loop looks as follows:

      session_begin at session.php:476
      session_create at session.php:657
      check_ban at session.php:1188
      session_kill at session.php:933
      session_create at session.php:657
      check_ban at session.php:1188
      session_kill at session.php:933
      ...

      I suspect the cause of this is that the return value of the auth module's autologin function overrides the wish of session_kill() to create an ANONYMOUS session.

      As long as the contract of the autologin function as described at <https://wiki.phpbb.com/Authentication_plugins#autologin_method> is to be considered reasonably correct, this seems like a bug, no? No particular particular behavior seems to be described at that page that the autologin function should implement to ensure that bans work correctly.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nickvergessen Joas Schilling
                Reporter:
                Dolda2000 Dolda2000
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: