"action=history&feed=" is an easy target for DOS attack
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	edwardspec
	Jul 7 2013, 12:43 PM

Description

Hi,

requesting URLs like http://en.wikipedia.org/w/index.php?title=Cat&action=history&feed=rss is an easy way of DOS-attacking a small MediaWiki website. These requests are quite heavy (diff generation for N revisions, with fetching all those revisions from DB?), have no captcha (because RSS readers don't support that), and since legitimate users almost never use them, they result in a cache miss.

Please make a configuration option to disable this "feature". $wgFeed is not good enough: RSS is quite useful for Recentchanges/Newpages, we don't want to disable those.

Version: 1.22.0
Severity: normal

Details

Reference: bz50886

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:53 AM

• bzimport added a project: MediaWiki-Page-diffs.

• bzimport set Reference to bz50886.

edwardspec created this task.Jul 7 2013, 12:43 PM

Hm, I was going to recommend setting $wgFeedLimit to a lower value ([[mw:Manual:$wgFeedLimit]]), but apparently the implementation for HistoryAction is broken and enforces a minimal maximum of 10 diffs. I'll submit a patch to fix that.

Change 72372 had a related patch set uploaded by Matmarex:
Correctly use $wgFeedLimit in page history feed

https://gerrit.wikimedia.org/r/72372

Change 72372 merged by jenkins-bot:
Correctly use $wgFeedLimit in page history feed

https://gerrit.wikimedia.org/r/72372

This is now fixed in master. You can now set $wgFeedLimit = 1; to make history feed generation no more expensive than viewing a regular diff.

Aklapper added a project: MediaWiki-Page-history.Sep 20 2019, 7:48 PM

"action=history&feed=" is an easy target for DOS attackClosed, ResolvedPublicActions

Description

Details

Event Timeline

"action=history&feed=" is an easy target for DOS attack
Closed, ResolvedPublic
Actions