When SimpleSecurity (r92519) is enabled in Mediawiki 1.17, PHP exceeds its memory_limit:
[19-Jul-2011 06:49:46] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 3276888 bytes) in ../includes/db/Database.php on line 3029
and the webserver (lighttpd/1.4.28, php-cgi/5.3.3-7+squeeze3) delivers an error 500:
GET /mediawiki/load.php?debug=false&lang=en&modules=jquery.checkboxShiftClick%2Cclient%2Ccookie%2Cplaceholder%7Cmediawiki.language%2Cutil%7Cmediawiki.legacy.ajax%2Cajaxwatch%2Cwikibits&skin=vector&version=NaNNaNNaNTNaNNaNNaNZ HTTP/1.1" 500 37 "-" "Mozilla/5.0 (X11; en-US; rv:2.0) Gecko/20100101"
Increasing the memory_limit (tried with 512MB) did not help; php would consume all and then die again.
With firebug (a Firefox addon) installed, I can see 3 GET requests when SimpleSecurity is *disabled*:
- /load.php?debug=false&lang=en&modules=startup&only=scripts&skin=vector&* -> 1.5sec with 200 OK
- /load.php?debug=false&lang=en&modules=jquery%7Cmediawiki&only=scripts&skin=vector&version=20110622T081140Z -> ~800 msec with 200 OK
- /load.php?debug=false&lang=en&modules=jquery.checkboxShiftClick%2Cclient%2Ccookie%2Cplaceholder%7Cmediawiki.language%2Cutil%7Cmediawiki.legacy.ajax%2Cajaxwatch%2Cwikibits&skin=vector&version=20110719T045856Z -> 1sec with 200 OK
When SimpleSecurity is enabled, the 3rd GET requests turns into:
/load.php?debug=false&lang=en&modules=jquery.checkboxShiftClick%2Cclient%2Ccookie%2Cplaceholder%7Cmediawiki.language%2Cutil%7Cmediawiki.legacy.ajax%2Cajaxwatch%2Cwikibits&skin=vector&version=NaNNaNNaNTNaNNaNNaNZ
and returns with "500 Internal Server Error" after around 30sec. In the processlist I can see that one php-cgi is using a lot of CPU time and of course memory, until it hits the memory_limit, then it stops.
My SimpleSecurity config:
$wgSecurityUseDBHook = true;
require_once("$IP/extensions/SimpleSecurity-svn/SimpleSecurity.php");
$wgSecurityRenderInfo = false;
restrictions apply
$wgPageRestrictions['Namespace:Special']['read'] = 'users';
$wgPageRestrictions['Namespace:User']['read'] = 'users';
Two more things here:
- The bug is not 100% reproducible: If I disable SimpleSecurity, the bug goes away. Enabling it again (just wgSecurityUseDBHook=true and require_once), the bug may not appear instantly. But as soon as I set wgPageRestrictions again, the bug reappears.
- Despite the error 500 for the 3rd GET request, SimpleSecurity still works. The error 500 just show up in the logfile. The article-page is rendered just fine, despite the fact that the 3rd GET request is still in progress.
Version: unspecified
Severity: normal
OS: Linux