Closed
Bug 686995
Opened 13 years ago
Closed 13 years ago
Calling Product.get while being logged out causes high CPU usage on the Bugzilla server
Categories
(Bugzilla :: WebService, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
(Keywords: regression, Whiteboard: [blocker will fix])
The problem only appears while being logged out and using 4.1.3. Doesn't appear on 4.0 or while being logged in (even as a powerless user).
Calling Product.get while being logged out never returns anything and it causes high CPU usage on the Bugzilla server. I could reproduce locally and on landfill. So all you need to do to cause trouble on the server is to call Product.get, kill your script, and call Product.get again, etc... The process will still run on the server after you killed your script, and so you can easily eat all the CPU of the server by having several processes running at the same time.
I'm filing this bug as a security bug as you could easily make a server unresponsive.
Flags: blocking4.2+
|
Assignee | |
Comment 1•13 years ago
|
||
To be clear: high CPU usage means 100% of the CPU, even on a dual core! (found while running webservice_product.t)
|
||
Comment 2•13 years ago
|
||
Okay. Does this happen with any set of Product.get arguments or only with certain ones?
|
|
Assignee | |
Comment 3•13 years ago
|
||
(In reply to Max Kanat-Alexander from comment #2)
> Okay. Does this happen with any set of Product.get arguments or only with
> certain ones?
I just tried with { ids => [1, 2, 3] }. No special hack required.
|
|
Assignee | |
Comment 4•13 years ago
|
||
There seems to be some deep recursion in package Bugzilla::XMLRPC::Serializer, in _strip_undefs().
|
|
Assignee | |
Comment 5•13 years ago
|
||
The problem seems to be due to 'internals'. As I see it, internals contains a product object, and due to object referencing, you can end in a deep recursion while going through an object internals, because e.g. a product object has a default assignee and QA contact, which themselves have a list of accessible products, etc.... Despite internals is here since 3.0, the checkin of bug 655229 generated this deep recursion (backing out this patch fixes the problem).
Personally, I see 'internals' as evil, because you have no control over what is returned. It should go away, as proposed in bug 655652. So fixing bug 655652 should fix this problem too.
|
|
Assignee | |
Comment 6•13 years ago
|
||
My patch from bug 655652 indeed fixes the problem.
Assignee: webservice → LpSolit
Status: NEW → ASSIGNED
Whiteboard: [blocker will fix]
|
|
Assignee | |
Comment 7•13 years ago
|
||
Blocker has been checked in. Admins on the 4.2 branch can now update their installation via bzr.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•