https://bugzilla.wikimedia.org/show_bug.cgi?id=26063
Summary: UploadWizard allows some kinds of resource exhaustion
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Normal
Component: UploadWizard
AssignedTo: ne...@wikimedia.org
ReportedBy: ne...@wikimedia.org
CC: gpaum...@wikimedia.org, roan.katt...@gmail.com,
asha...@wikimedia.org
It is possible to mount an attack on the server by using UploadStash to:
- upload zillions of small files (# of files per directory)
- upload many very large files (disk usage)
Expiry can't happen in less than a few hours since it may actually take that
amount of time to upload some large videos.
Not easy to do this just by examining the file system, since temp files are
hashed up in directories, and aren't associated with a user or IP.
Simple solution:
- simple crontabs on the server to clean up temp files with a reasonable time
frame like anything older than 3 days
- guard methods on the UploadStash object to cycle out a user's old objects
when they have more than 100 abandoned temp files, or more than 100 total MB
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
