[PHPBB3-13138] Banned users cause infinite recursion

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.0.12
Fix Version/s: 3.0.13-RC1, 3.1.0-RC6
Component/s: Authentication, Sessions
Labels:
None
Environment:
PHP 5.4.4, MySQL 5.5.38, Linux 3.13.0, Debian Wheezy, FastCGI mode, any browser.

GitHub Pull Request URL:
https://github.com/phpbb/phpbb/pull/3039

Description

I find that banned users trying to visit my forum (running phpBB 3.0.12) cause infinite recursion, causing the page to crash (after having consumed many a CPU second). The recursion loop looks as follows:

session_begin at session.php:476
session_create at session.php:657
check_ban at session.php:1188
session_kill at session.php:933
session_create at session.php:657
check_ban at session.php:1188
session_kill at session.php:933
...

I suspect the cause of this is that the return value of the auth module's autologin function overrides the wish of session_kill() to create an ANONYMOUS session.

As long as the contract of the autologin function as described at <https://wiki.phpbb.com/Authentication_plugins#autologin_method> is to be considered reasonably correct, this seems like a bug, no? No particular particular behavior seems to be described at that page that the autologin function should implement to ensure that bans work correctly.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

auth_haven.php
2 kB
15/Oct/14 8:37 PM
session.patch
3 kB
15/Oct/14 8:22 PM

Issue Links

caused

PHPBB3-13234 Remember me cookie gets unset by admin reauthentication

Closed

PHPBB3-13190 phpbb_session_login_keys_test::test_reset_keys fails on develop-ascraeus

Closed

Activity

People

Assignee:: Joas Schilling

Reporter:: Dolda2000 [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 08/Oct/14 3:43 AM

Updated:: 22/Jan/17 4:02 PM

Resolved:: 20/Oct/14 7:27 PM