Opened 3 years ago

Last modified 3 years ago

#33245 closed Bug

utils.urlize isn't thread-safe — at Version 1

Reported by: Tim McCurrach Owned by: nobody
Component: Utilities Version: dev
Severity: Release blocker Keywords:
Cc: Claude Paroz Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tim McCurrach)

Since e567670b utils.html.urlize isn't thread safe!

To replicate bug:

  1. Write 2 views that both use the urlizetrunc tag a large number of times (between 104 and 105 was enough on my computer).
  2. Use different url length limits (for truncation) for each view
  3. Load the 2 views simultaneously

The resulting pages will have inconsistent url limits, as the trim_url_limit value from one view leaks over to the other.

The cause

Since urlize was changed to become class-based trim_url_limit, nofollow, autoescape, and trim_url_limit are stored as instance attributes. Urlizer is instantiated just once and then used within urlize which allows for these values to be shared between function calls.

The solution

  • The obvious solution would be to pass the values listed above directly to handle_word so that they are not stored on the instance.
  • My only question is: Does removing these values from the class instance nullify the ease of customisation the original ticket brought about? If this is the case, the better solution might just be to revert the change.
  • An alternative approach would be to create a new instance of Urlizer on each call of urlize, but since this can be called many times in a single request, this would likely have a performance impact.

Change History (1)

comment:1 by Tim McCurrach, 3 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top