Etherpad-lite: Exporting pads named * result in a non-responding etherpad instance
Pad named * cause 100% CPU usage on export.
I have used the etherpad export feature.
My guess would be, that * matches all pad names and tries to export the whole instance.
I tested this on my instance with a pad with a lot of history named "foobar" and tried to export a newly created pad named "foo*". Other pads like foobaz and foofoo exist.
The exported file for foo* was larger than the export for foobar.
unaimed
All 13 comments
https://github.com/ether/etherpad-lite/tree/fix/export-wildcards as a workaround. In the past before https://github.com/ether/etherpad-lite/commit/a0fb65205c7d7ff95f00eb9fd88e93b300f30c3d it was possible to specify a prefix and get a export of pads matching that prefix.
To better understand this bug someone needs to understand the query-builder part in ueberdb.
webzwo0i
on 15 Apr 2017
When using a sql backend, having a pad named for ex. ___ will export all pad's with a 3 letter name.
See:
https://dev.mysql.com/doc/refman/5.7/en/pattern-matching.html
https://github.com/Pita/ueberDB/blob/5c2ef4dc1476ef24bc475885817816c3e602ec8b/mysql_db.js
What ueberdb will do to find the key (* and % are filtered out in the patched etherpad, but _ is also a special character):
SELECT key FROM store WHERE key LIKE ?
whohoho
on 20 Apr 2017
Thank you! Because ueberdb supports many different database backends we probably need to check them as well?
Also it would be nice if we support the characters in pad names and don't just filter them, but instead escape them before they hit the database. I will look into this tomorrow.
webzwo0i
on 20 Apr 2017
At least sqlite and postgresql will have the same problem.
Not sure about the other database backends.
whohoho
on 21 Apr 2017
sorry it takes so long...
mysql, postgresql, sqlite and crate use % and _
cassandra, couch, rethink, mongo, dirty, redis probably support PCRE-style regex
leveldb and lmdb don't implement findKeys
webzwo0i
on 27 Apr 2017
Up? This is a serious confidentiality issue.
ldidry
on 22 Jun 2017
FWIW, we have disabled the etherpad export endpoint for this specific reason. As I was reading through the code I realized that the etherpad export endpoint does not use the padmanager as the e.g. txt endpoint does, but rather calls db functions directly. I 'll admit 0 knowledge of ethepad's internals from this point on, but since the export txt endpoint does not have this problem, maybe it's worth it to amend the etherpad endpoint to use the padmanager as well instead of fighting this at the DB level ?
akosiaris
on 27 Jun 2017
hi,
Whats the status of this bug?
whohoho
on 22 Mar 2018
I think this issue should also be created in https://github.com/Pita/ueberDB. The library implement and exports methods to escape operators depending of the database we are working with (for instance, regex operators should be escaped when working with dirtydb).
ghost
on 22 Mar 2018
whohoho
on 22 Mar 2018
This issue is not so much about crashing node (which happens when your query happens to match too much entries) , but about being able to export the complete contents of the etherpad server without knowing the names of the pads.
So in my opinion it makes sense to filter out all sql LIKE special characters untill this is fixed in ueberDB.
whohoho
on 22 Mar 2018
Should be fixed in https://github.com/ether/etherpad-lite/commit/806c9207e365304ef0f3130d7d3ec59f362f8f9d, since it's not calling findKeys anymore. Can you confirm?
ghost
on 7 Apr 2018
bonjour, même problème mais un peut différant
des que je ouvre un pad, le node devient tros gourmand 100% utilisation du CPU, koi faire ????
rabeharkab
on 5 Dec 2018
Related issues
skramsa
·
110Comments
ottomattas
·
12Comments
fancycade
·
29Comments
seballot
·
34Comments
Rillke
·
29Comments
Most helpful comment
Up? This is a serious confidentiality issue.