#23157 closed Cleanup/optimization (fixed)
O(n) behaviour in default configuration when uploading many duplicate filenames
| Reported by: | dw | Owned by: | Tim Graham |
|---|---|---|---|
| Component: | File uploads/storage | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
In the default configuration, Django django/core/files/storage.py get_available_name() may degrade to producing a huge number of stat() system calls when a duplicate filename is being uploaded. Since stat() may invoke IO, this may produce a huge data-dependent slowdown that slowly worsens over time.
The problem was originally detected by our test suite, but it is likely that especially older Django installations will be experiencing it too, perhaps without even realizing.
I filed a pull request at https://github.com/django/django/pull/3008 before reading the contributor documentation. It seems to suggest I should file a bug to be triaged before submitting a pull?
This is my first Django contribution, so apologies for any confusion.
Change History (12)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
| Has patch: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
comment:3 by , 10 years ago
I'm no expert in security, so forgive me if this is a dumb/naive question, but couldn't this bug be used for DOSing a site? If so, should this patch get a priority/severity upgrade?
comment:4 by , 10 years ago
Yes, we noticed that possibility as soon as the ticket was filed and we started the private process that we use to deal with security issues. For obvious reasons, we didn't draw attention to this ticket.
In doubt, please disclose possible security issues responsibly, as explained on https://docs.djangoproject.com/en/1.6/internals/security/#reporting-security-issues.
comment:5 by , 10 years ago
The solution looks clean and simple and the tests working fine.
I would mark it RFC as soon as you fix the PEP8 Error on line 801
comment:7 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Patch needs improvement: | set |
| Status: | new → assigned |
| Triage Stage: | Ready for checkin → Accepted |
I am working on an alternate patch.
comment:8 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
I tested this PR on master locally and it works nicely for me, the tests run perfectly too
+1 for this contribution