Set upper limit to number of posts displayed #174

Closed
GoremanX opened this Issue Nov 1, 2011 · 2 comments

2 participants

@GoremanX

If a topic has hundreds (or thousands!) of posts, any user, including a guest, can make each and every one of those posts display on a single page by manipulating limit parameter in the url, regardless of the default "Posts per page" setting in the backend. This can potentially cripple a server in very short time. Adding an option in the backend that sets a maximum number of displayed posts could prevent this from being a problem. For example, in the Security tab:

"Max number of posts per page:"

followed by a number field.

@GoremanX

Hey wait, I just had a better idea! What if Kunena ignores the limit= parameter in the url and always uses the existing "Posts per page" value in the backend, UNLESS the user has moderator privileges for the topic he's reading/moderating? Then the vulnerability disappears completely, no new backend option needs to be added, and trusted moderators are unlikely to abuse the privilege but they can still increase the number of displayed posts to ease moderation.

@mahagr
Kunena member

I'm making a simple fix of restricting max number of posts to default*2.

@mahagr mahagr added a commit to mahagr/Kunena-1.6 that referenced this issue Dec 10, 2011
@mahagr mahagr [#174] Set upper limit to number of posts displayed 0676f4c
@mahagr mahagr closed this Dec 10, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment