Closed Bug 1274764 Opened 9 years ago Closed 9 years ago

Increasing memcached performance is possible because Cache::Memcached::Fast does not need detainting

Categories

(Bugzilla :: Bugzilla-General, enhancement, P1)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 6.0

People

(Reporter: dylan, Assigned: dylan)

References

Details

(Keywords: perf)

Attachments

(1 file)

1274764_1.patch
1.54 KB, patch
dkl
: review+
Details | Diff | Splinter Review
https://metacpan.org/pod/Cache::Memcached::Fast#Tainted-data "In current implementation tainted flag is neither tested nor preserved, storing tainted data and retrieving it back would clear tainted flag. See perlsec." This means we can delete this code: https://github.com/bugzilla/bugzilla/blob/master/Bugzilla/Memcached.pm#L249-L271 which means things will be faster. On BMO at least this is quite slow: http://people.mozilla.org/~dhardison/1243775/nytprof.before/Bugzilla-Memcached-pm-11-line.html of course, we can't do this on BMO because we use Cache::Memcached still (we'll get it when upstream merge is done!)
The fact that this module doesn't preserve the tainted flag is a nice security weakness. This means that it could be possible to store unsanitized data and get it back detained, making everybody think the data has already been validated. Sad!
Severity: normal → enhancement
Attached patch 1274764_1.patchSplinter Review
Attachment #8755869 - Flags: review?(dkl)
Priority: -- → P1
Keywords: perf
Comment on attachment 8755869 [details] [diff] [review] 1274764_1.patch Review of attachment 8755869 [details] [diff] [review]: ----------------------------------------------------------------- You would also need to remove use 'Bugzilla::Util qw(trick_taint);' from top of file. > The fact that this module doesn't preserve the tainted flag is a nice security weakness. This means that it could be possible to store unsanitized data and get it back > detained, making everybody think the data has already been validated. Sad! dylan, is this specific to Cache::Memcached::Fast or does Cache::Memcached also not preserve taintedness? Also since we are blindly just detainting whatever data we get back from memcached now with the old code, we are no worse off with the new change. Ideally we should be checking for taintedness with the data before storing it in memcached. r=dkl with comment fixed.
Attachment #8755869 - Flags: review?(dkl) → review+
Yeah, Cache::Memcached's data is tainted but not intentionally. If you read in a string from a socket that string happens to be tainted. ::Fast is not using perl-level IO functions, so there is no taintedness going on.
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 7ccda08..a0a047d master -> master
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 6.0
Blocks: 1308032
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: