Crafted redirect throws Sidekiq into an infinite loop

bug
1

As an attacker, I set up a PHP server with a script:

test2.php:

<?php
header('Location: test2.php?val='.uniqid())
?>

and a .htaccess file:

RewriteEngine on
RewriteRule test.png test2.php

Then, I went to my local Discourse install and created a few posts with the following link:

http://php-mivexil.rhcloud.com/test.png

which Discourse turned into an image. What happened then, however, is shown here:

http://php-mivexil.rhcloud.com/phplog.log

In short, the Discourse image downloader never stops sending requests. Even after an hour, running tcpdump on Discourse server still shows outgoing traffic.

Additionally, enough of those posts saturate Sidekiq, breaking the whole downloader functionality:

1209×337 46.6 KB

1183×469 83 KB

1 Like
2

This topic is now invisible. It will no longer be displayed in any topic lists. The only way to access this topic is via direct link.

3

Haven’t tested that yet, but made the topic invisible in the case it’s a potential risk.

FYI, next time your report an attack, can you please either send a PM to one of the member of the team or email team@discourse.org instead of writing a public topic?

4

Okay, sorry.

It seems like you can only break Sidekiq for half an hour or so. If you do leave an open slot for heartbeats, however, the server will keep following the link until manually stopped.

5

Thanks for reporting that issue. Just pushed a fix :panda_face:

https://github.com/discourse/discourse/commit/488d4eebbe4215d618591429bd8d0b259d3fe9c8

1 Like