#33245 closed Bug (fixed)
utils.html.urlize() isn't thread-safe
| Reported by: | Tim McCurrach | Owned by: | Tim McCurrach |
|---|---|---|---|
| Component: | Utilities | Version: | dev |
| Severity: | Release blocker | Keywords: | |
| Cc: | Claude Paroz | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Since e567670b utils.html.urlize isn't thread safe!
To replicate bug:
- Write 2 views that both use the
urlizetrunctag a large number of times (between 104 and 105 was enough on my computer). - Use different url length limits (for truncation) for each view
- Load the 2 views simultaneously
The resulting pages will have inconsistent url limits, as the trim_url_limit value from one view leaks over to the other.
The cause
Since urlize was changed to become class-based trim_url_limit, nofollow, autoescape, and trim_url_limit are stored as instance attributes. Urlizer is instantiated just once and then used within urlize which allows for these values to be shared between function calls.
The solution
- The obvious solution would be to pass the values listed above directly to
handle_wordso that they are not stored on the instance. - My only question is: Does removing these values from the class instance nullify the ease of customisation the original ticket brought about? If this is the case, the better solution might just be to revert the change.
- An alternative approach would be to create a new instance of
Urlizeron each call ofurlize, but since this can be called many times in a single request, this would likely have a performance impact.
Change History (9)
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 years ago
| Summary: | utils.urlize isn't thread-safe → utils.html.urlize isn't thread-safe |
|---|
comment:3 by , 3 years ago
| Cc: | added |
|---|---|
| Severity: | Normal → Release blocker |
| Summary: | utils.html.urlize isn't thread-safe → utils.html.urlize() isn't thread-safe |
| Triage Stage: | Unreviewed → Accepted |
follow-up: 6 comment:5 by , 3 years ago
[HS] Mariusz, do you know why I'm not receiving any mail when you CC me? It's not a problem since I generally follow the timeline, but I still wonder.
comment:6 by , 3 years ago
Replying to Claude Paroz:
[HS] Mariusz, do you know why I'm not receiving any mail when you CC me? It's not a problem since I generally follow the timeline, but I still wonder.
FWIW, I'm not receiving notifications about this ticket either. Strange...
comment:7 by , 3 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
Thanks for the report!
Agreed, it's should be enough to pass values to the underlying methods.
I don't think so. As far as I'm aware all important parameters will still be customizable.