Download Quota - Flaw discovered (and fixed)

[Andy]

Hello everyone.

Recently I discovered a very fatal flaw in the download quota system that required me to take immediate action.

This flaw was a design flaw from the very beginning, and was overlooked throughout all testing. It only recently came to light because of some users massively going over their quota. Thanks to our logging system, we noticed this and were able to analyse how it was happening.

So what was the flaw?

Put simply, the rolling quota system was doomed from day 1. If you downloaded a 50GB file, you use 50GB of quota with an expiry time of 24 hours. That worked fine because quota was 24 hour rolling.

But consider a situation where you download two 25GB files instead. That would have a quota expiry time of 12 hours. Now say you download them both right now, in parallel. You'll use your 50GB quota, but BOTH files quota will get returned in just 12 hours from now. That means that you would then be able to get another 50GB of quota after just 12 hours!

This problem gets worse the smaller the file you download. You could download 50x1GB files and after 28 minutes all of the files had their quota returned and you could download another 50GB of files!

You can see why this was such a serious flaw and how under typical use and testing it would never have been noticed.

So what was the fix and how does it work now?

The fix was to recode the entire authentication and quota script, which is what I have spent the majority of today doing.

The quota system is now set up so that you regain about 2.083GB of quota per hour. So it's still sort of rolling, but not second by second. This should still allow you to download new files regularly once your used quota drops below 50GB.

The "quota expiry" column is now gone because it served no purpose anymore.

Please report any issues

As I have essentially re-written this in just a few hours, please do report any bugs to me. That includes all unexpected 401's, 404's, etc. that you encounter.

I have improved the logging capability of the authentication system to help me further identify problems more easily.

Thanks

Andy

[SigmaTel71]

If I download a file that is less than maximum quota per hour, will it reserve the entire hour 'capacity' or I'll regain my 1.25 GB (for example) quota back earlier?

[Andy]

You'll only use whatever the size of the file is. You'll get 2.083GB back every hour on the hour.

Essentially nothing has changed other than the quota actually works as intended now and you get quota back hourly.

[Resident007]

For whatever reason, I am now getting division by zero error when opening "My downloads" tab in the Database:

[PlyrStar93]

For whatever reason, I am now getting division by zero error when opening "My downloads" tab in the Database:

Same
Basically the page doesn't work even if I have generated a download and then go back to My Downloads.

[Andy]

Fixed. Please try now.

[PlyrStar93]

Can confirm it's fixed, thank you Andy.

[Resident007]

Yes, it's fixed, thanks.

[gamer765]

Users caught actively abusing the bug should've been given a warning/temp ban

[Andy]

I don't think it's fair to give people a warning for a bug that has existed since day 1 and was never caught. They could have been unknowingly exploiting it too if they queued up files and may not have realised. Even if they did, I bet most people wouldn't say anything if they were getting more than they were meant to.

In any case, it's fixed now.