search

mindstellar / Osclass

With Osclass, get your own classifieds site for free. Build your own Osclass installation and start advertising real estate, jobs or whatever you want- in minutes!
https://docs.mindstellar.com/
GNU General Public License v3.0
88 stars 49 forks source link

Osclass 5.1b3 - Out of Memory #434

Closed eurobank closed 3 years ago

eurobank commented 3 years ago

Today i got a warning from Google webmaster service about several error 500 issues.

The url is:

https: // www . website . com/index.php?page=ajax&action=location

So enabling debug log, i see several of these and they DO happen when the above url is accessed. I have no idea when this url is used.

2021-11-06 23:10:09 - ERROR: Allowed memory size of 268435456 bytes exhausted (tried to allocate 20480 bytes) in /home/oc-includes/osclass/classes/controller/CWebAjax.php on line no 64 Error Code:1 with context: 
'array (
  \'type\' => 1,
  \'message\' => \'Allowed memory size of 268435456 bytes exhausted (tried to allocate 20480 bytes)\',
  \'file\' => \'/home/oc-includes/osclass/classes/controller/CWebAjax.php\',
  \'line\' => 64,
)'

Never seen those before.

eurobank commented 3 years ago

The above happens to a multi country site.

Trying the same url to a single country site, i get a huge page like this (instead of a white screen of death with out of memory):

[{"id":"423825","label":"Bon Secour (Alabama)","value":"Bon Secour","region":"Alabama"},{"id":"423826","label":"Bremen (Alabama)","value":"Bremen","region":"Alabama"},{"id":"423827","label":"Brierfield (Alabama)","value":"Brierfield","region":"Alabama"},{"id":"423828","label":"Brownsboro (Alabama)","value":"Brownsboro","region":"Alabama"},{"id":"423829","label":"Bryant (Alabama)","value":"Bryant","region":"Alabama"},{"id":"423830","label":"Bucks (Alabama)","value":"Bucks","region":"Alabama"},{"id":"423831","label":"Buhl (Alabama)","value":"Buhl","region":"Alabama"},{"id":"423832","label":"Calvert (Alabama)","value":"Calvert","region":"Alabama"},{"id":"423833","label":"Catherine (Alabama)","value":"Catherine","region":"Alabama"},{"id":"423834","label":"Chancellor (Alabama)","value":"Chancellor","region":"Alabama"},{"id":"423835","label":"Chunchula (Alabama)","value":"Chunchula","region":"Alabama"},{"id":"423836","label":"Clopton (Alabama)","value":"Clopton","region":"Alabama"},{"id":"423837","label":"Coatopa (Alabama)","value":"Coatopa","region":"Alabama"},{"id":"423838","label":"Coden (Alabama)","value":"Coden","region":"Alabama"},{"id":"423839","label":"Cottondale (Alabama)","value":"Cottondale","region":"Alabama"},{"id":"423840","label":"Cottonton (Alabama)","value":"Cottonton","region":"Alabama"},{"id":"423841","label":"Coy (Alabama)","value":"Coy","region":"Alabama"},{"id":"423842","label":"Cragford (Alabama)","value":"Cragford","region":"Alabama"},{"id":"423843","label":"Crane Hill (Alabama)","value":"Crane Hill","region":"Alabama"},{"id":"423844","label":"Cropwell (Alabama)","value":"Cropwell","region":"Alabama"},{"id":"423845","label":"Cusseta (Alabama)","value":"Cusseta","region":"Alabama"},{"id":"423846","label":"Danville (Alabama)","value":"Danville","region":"Alabama"},{"id":"423847","label":"Dawson (Alabama)","value":"Dawson","region":"Alabama"},{"id":"423848","label":"Delta (Alabama)","value":"Delta","region":"Alabama"},{"id":"423849","label":"Dickinson (Alabama)","value":"Dickinson","region":"Alabama"},{"id":"423850","label":"Dixons Mills (Alabama)","value":"Dixons Mills","region":"Alabama"},{"id":"423851","label":"Docena (Alabama)","value":"Docena","region":"Alabama"},{"id":"423852","label":"Dolomite (Alabama)","value":"Dolomite","region":"Alabama"},{"id":"423853","label":"Duncanville (Alabama)","value":"Duncanville","region":"Alabama"},{"id":"423854","label":"Eastaboga (Alabama)","value":"Eastaboga","region":"Alabama"},{"id":"423855","label":"Eight Mile (Alabama)","value":"Eight Mile","region":"Alabama"},{"id":"423856","label":"Empire (Alabama)","value":"Empire","region":"Alabama"},{"id":"423857","label":"Equality (Alabama)","value":"Equality","region":"Alabama"},{"id":"423858","label":"Estillfork (Alabama)","value":"Estillfork","region":"Alabama"},{"id":"423859","label":"Fackler (Alabama)","value":"Fackler","region":"Alabama"},{"id":"423860","label":"Fitzpatrick (Alabama)","value":"Fitzpatrick","region":"Alabama"},{"id":"423861","label":"Flat Rock (Alabama)","value":"Flat Rock","region":"Alabama"},{"id":"423862","label":"Forest Home (Alabama)","value":"Forest Home","region":"Alabama"},{"id":"423863","label":"Fort Mitchell (Alabama)","value":"Fort Mitchell","region":"Alabama"},{"id":"423864","label":"Fosters (Alabama)","value":"Fosters","region":"Alabama"},{"id":"423865","label":"Frankville (Alabama)","value":"Frankville","region":"Alabama"},{"id":"423866","label":"Fruitdale (Alabama)","value":"Fruitdale","region":"Alabama"},{"id":"423867","label":"Gallant (Alabama)","value":"Gallant","region":"Alabama"},{"id":"423868","label":"Gallion (Alabama)","value":"Gallion","region":"Alabama"},{"id":"423869","label":"Grady (Alabama)","value":"Grady","region":"Alabama"},{"id":"423870","label":"Graham (Alabama)","value":"Graham","region":"Alabama"},{"id":"423871","label":"Green Pond (Alabama)","value":"Green Pond","region":"Alabama"},{"id":"423872","label":"Grove Oak (Alabama)","value":"Grove Oak","region":"Alabama"},{"id":"423873","label":"Hardaway (Alabama)","value":"Hardaway","region":"Alabama"},{"id":"423874","label":"Hatchechubbee (Alabama)","value":"Hatchechubbee","region":"Alabama"},{"id":"423875","label":"Higdon (Alabama)","value":"Higdon","region":"Alabama"},{"id":"423876","label":"Highland Home (Alabama)","value":"Highland Home","region":"Alabama"},{"id":"423877","label":"Hollytree (Alabama)","value":"Hollytree","region":"Alabama"},{"id":"423878","label":"Honoraville (Alabama)","value":"Honoraville","region":"Alabama"},{"id":"423879","label":"Hope Hull (Alabama)","value":"Hope Hull","region":"Alabama"},{"id":"423880","label":"Horton (Alabama)","value":"Horton","region":"Alabama"},{"id":"423881","label":"Houston (Alabama)","value":"Houston","region":"Alabama"},{"id":"423882","label":"Huxford (Alabama)","value":"Huxford","region":"Alabama"},{"id":"423883","label":"Indian Springs (Alabama)","value":"Indian Springs","region":"Alabama"},{"id":"423884","label":"Irvington (Alabama)","value":"Irvington","region":"Alabama"},{"id":"423885","label":"Jack (Alabama)","value":"Jack","region":"Alabama"},{"id":"423886","label":"Jones (Alabama)","value":"Jones","region":"Alabama"},{"id":"423887","label":"Joppa (Alabama)","value":"Joppa","region":"Alabama"},{"id":"423888","label":"Knoxville (Alabama)","value":"Knoxville","region":"Alabama"},{"id":"423889","label":"Laceys Spring (Alabama)","value":"Laceys Spring","region":"Alabama"},{"id":"423890","label":"Lapine (Alabama)","value":"Lapine","region":"Alabama"},{"id":"423891","label":"Lawley (Alabama)","value":"Lawley","region":"Alabama"},{"id":"423892","label":"Leroy (Alabama)","value":"Leroy","region":"Alabama"},{"id":"423893","label":"Letohatchee (Alabama)","value":"Letohatchee","region":"Alabama"},{"id":"423894","label":"Lillian (Alabama)","value":"Lillian","region":"Alabama"},{"id":"423895","label":"Little River (Alabama)","value":"Little River","region":"Alabama"},{"id":"423896","label":"Logan (Alabama)","value":"Logan","region":"Alabama"},{"id":"423897","label":"Lower Peach Tree (Alabama)","value":"Lower Peach Tree","region":"Alabama"},{"id":"423898","label":"Magnolia (Alabama)","value":"Magnolia","region":"Alabama"},{"id":"423899","label":"Magnolia Springs (Alabama)","value":"Magnolia Springs","region":"Alabama"},{"id":"423900","label":"Marbury (Alabama)","value":"Marbury","region":"Alabama"},{"id":"423901","label":"Marion Junction (Alabama)","value":"Marion Junction","region":"Alabama"},{"id":"423902","label":"Maylene (Alabama)","value":"Maylene","region":"Alabama"},{"id":"423903","label":"McCalla (Alabama)","value":"McCalla","region":"Alabama"},{"id":"423904","label":"Mexia (Alabama)","value":"Mexia","region":"Alabama"},{"id":"423905","label":"Minter (Alabama)","value":"Minter","region":"Alabama"},{"id":"423906","label":"Montrose (Alabama)","value":"Montrose","region":"Alabama"},{"id":"423907","label":"Mount Hope (Alabama)","value":"Mount Hope","region":"Alabama"},{"id":"423908","label":"Muscadine (Alabama)","value":"Muscadine","region":"Alabama"},{"id":"423909","label":"Newell (Alabama)","value":"Newell","region":"Alabama"},{"id":"423910","label":"Normal (Alabama)","value":"Normal","region":"Alabama"},{"id":"423911","label":"Panola (Alabama)","value":"Panola","region":"Alabama"},{"id":"423912","label":"Pansey (Alabama)","value":"Pansey","region":"Alabama"},{"id":"423913","label":"Perdido (Alabama)","value":"Perdido","region":"Alabama"},{"id":"423914","label":"Perdue Hill (Alabama)","value":"Perdue Hill","region":"Alabama"},{"id":"423915","label":"Peterman (Alabama)","value":"Peterman","region":"Alabama"},{"id":"423916","label":"Pine Level (Alabama)","value":"Pine Level","region":"Alabama"},{"id":"423917","label":"Pittsview (Alabama)","value":"Pittsview","region":"Alabama"},{"id":"423918","label":"Plantersville (Alabama)","value":"Plantersville","region":"Alabama"},{"id":"423919","label":"Quinton (Alabama)","value":"Quinton","region":"Alabama"},{"id":"423920","label":"Ralph (Alabama)","value":"Ralph","region":"Alabama"},{"id":"423921","label":"Ramer (Alabama)","value":"Ramer","region":"Alabama"},{"id":"423922","label":"Randolph (Alabama)","value":"Randolph","region":"Alabama"},{"id":"423923","label":"Remlap (Alabama)","value":"Remlap","region":"Alabama"},{"id":"423924","label":"Safford (Alabama)","value":"Safford","region":"Alabama"},{"id":"423925","label":"Saginaw (Alabama)","value":"Saginaw","region":"Alabama"},{"id":"423926","label":"Saint Stephens (Alabama)","value":"Saint Stephens","region":"Alabama"},{"id":"423927","label":"Salem (Alabama)","value":"Salem","region":"Alabama"},{"id":"423928","label":"Sar

eurobank commented 3 years ago

Is all that considered as a security issue? What other data can be "fished" using this trick?

navjottomer commented 3 years ago

This is a ajax url for fetching location data. It'll give all the location data. For a multi country site, it is performance hog. I'll see what we can do to optimize it, till then increase your PHP memory limit.

eurobank commented 3 years ago

Ok, still why a direct PHP file returns some results to visitors? Is that correct or safe, i think not.

navjottomer commented 3 years ago

Those urls are meant that way, and data given there is safe.

On Sun, 7 Nov, 2021, 7:26 pm eurobank, @.***> wrote:

Ok, still why a direct PHP file returns some results to visitors? Is that correct or safe, i think not.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mindstellar/Osclass/issues/434#issuecomment-962615012, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIDQSNG427CXETFKXLX3T3UK2APZANCNFSM5HQDONBA .

eurobank commented 3 years ago

ok, safe. But 26 mb in my case and i don't understand why google bot (and probably others) want to dowload/get it.

anyways....

dev-101 commented 3 years ago

It also happens with original script, you must manually define rules in robots.txt

eurobank commented 3 years ago

Maybe so, i haven't seen that ever.

dev-101 commented 3 years ago

It crawls anything it finds, it doesn't care unless you explicitly forbid access to it.

Also, those pages are ajax related stuff, but the issue here is that you also need to prevent them from indexing (robots.txt is not good enough, e.g. bots ignore them for that part).

One possible way to solve it on an application level is to try to detect direct ajax call coming from bots, and to serve a blank nofollow, noindex html page in those cases. Otherwise, you must define them manually in GSC and alike.

eurobank commented 3 years ago

True, i have found some old 3.9 of mine still running and tested it. It happens also. But never had an out of memory issue.

Anyways, if this is not a security issue, i'm fine.