Possible security issue in Drupal with previous/next thread in forum
Dear all, I hope that this is the right place to post. My issue http://drupal.org/node/559424 was closed with a "Wron't fix" answer. On my server, a query returns 21000 rows in 7412 ms. Just to be able to display previous and next forum thread. The number of rows seems too large. I double-checked on my testing server with 650.000 posts and the devel module + pgadmin3. Kind regards, Jean-Michel
Quoting Jean-Michel Pouré <jm@poure.com>:
Dear all,
I hope that this is the right place to post.
My issue http://drupal.org/node/559424 was closed with a "Wron't fix" answer.
On my server, a query returns 21000 rows in 7412 ms. Just to be able to display previous and next forum thread. The number of rows seems too large.
I double-checked on my testing server with 650.000 posts and the devel module + pgadmin3.
Firstly, if it is a security issue this is not the right place to report it. You should be using the existing method: http://drupal.org/security-team#report-issue Can you be more exact than "The number of rows seems too large"? Either it's right or wrong. If it's wrong, what is the right number? And if it's wrong, is the SQL statment wrong, the processing that comes next or somewhere else? Phil L. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Dear Phil.
Firstly, if it is a security issue this is not the right place to report it. You should be using the existing method: http://drupal.org/security-team#report-issue
Website down.
Can you be more exact than "The number of rows seems too large"? Either it's right or wrong. If it's wrong, what is the right number? And if it's wrong, is the SQL statment wrong, the processing that comes next or somewhere else?
I see no need to run an SQL query resulting in 21.000 rows which are then processed using PHP row-by-row for the sole interest of displaying in a bloc with last and next link. The query takes time to process. An attacker only needs to connect to several different forum pages at the same time. It can overflod the database, not PHP. As I am new on the list, I will stop here. It is not my business to fix this kind of query (if it is wrong). If I were right, you would probably have already fixed it. Kind regards, Jean-Michel
2009/8/26 Jean-Michel Pouré <jm@poure.com>:
Dear Phil.
Firstly, if it is a security issue this is not the right place to report it. You should be using the existing method: http://drupal.org/security-team#report-issue
Website down.
Just so people know. I am currently working on www1.drupal.org. If you hit a web site down error, just wait a bit and reload to hit another web node. However, there shouldn't be many of those errors anyway and they should be short lived. -- Narayan Newton GA Member Drupal Association Tag1Consulting
participants (3)
-
Jean-Michel Pouré -
Narayan Newton -
philip@philipnet.com