Possible bug when posting a message with IP control + timeout enabled

Started by mukitauro, June 20, 2018, 08:24:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mukitauro

June 20, 2018, 08:24:14 AM Last Edit: November 29, 2022, 11:08:52 PM by shawnb61
Hi,

Please let me start by apologizing in case I am posting something wrong, as it is my first post and even though I read the "So you think you found a bug with SMF?" I might still miss something.

I am a user, not an admin, of a forum, that has the following versions installed:
Code Select
Foro
SMF 2.0.14 | SMF © 2013, Simple Machines
SimplePortal 2.3.7 © 2008-2018, SimplePortal
Modificaciones
Enhancements to recent posts, 2.0.6 © 2013-2015, davidhs
Avatars on Board/MessageIndex v1.9 | © 2016 by Pipke
And I believe I have found a bug, that I will try to explain in a step by step manner:
  • post a reply to a topic
  • post again to the same topic in less than 60 seg (or the time limit configured on your server)
  • a warning will show that explains you cannot post from the same IP until 60 seg passes
  • click "back" on the link that is shown below the error message
  • wait until 60 seg pass (or the time limit configured on your server)
  • post again
  • a message is shown that matches the tag "error_form_already_submitted"

I believe that the second time you post, it should work as the forum should be able to check that in fact the first time you attempted to post, it was not really successful, so your message should not really be registered.

I downloaded the source code, and most likely I am 100% wrong because I am not a dev of this project and I am misunderstanding things... but something look odd to me, so I will post it here, and perhaps someone can either verify it or tell me I totally missed the point :)

In the file Post.php, in the function Post() there is a call to checkSubmitOnce('register') almost at the end of the function, and then on Post2() there is a call to checkSubmitOnce('check'). It looks to me that because Post() registers the form number of the message in $_REQUEST['seqnum'] before the message is really inserted, when we check in Post2() we should make sure that we do the check only if the message was really inserted. Perhaps the fix needs to go to checkSubmitOnce or not and I am totally wrong and I just wasted your time. Sorry for that :)

Arantor

#1
June 20, 2018, 09:52:14 AM
You're right, it's a bug, but fixing it is not trivial given the ways those functions get used throughout SMF :(

mukitauro

#2
June 20, 2018, 11:31:28 AM
Thanks for the reply!
Let's see if some maintainer has time to fix it at some point, at least we have a workaround which is wait and reload the page :)

Arantor

#3
June 20, 2018, 11:36:21 AM
I'd also note that 2.0 only seems to be getting critical bug fixes at this point, and this is possibly not a critical bug to be fixed.

I will experiment with it to see if there is a way to fix it, I have an idea on what that might be.

mukitauro

#4
June 21, 2018, 05:49:19 AM
Sure thing, no rush and thank you in any case for your help!
Print
Go Up Pages1
User actions
Advertisement: