Bug: Race condition in timestamp-based queue lock fallback #115

New Issue

Closed

opened 2026-06-06 11:50:08 +00:00 by jmiller · 1 comment

jmiller commented 2026-06-06 11:50:08 +00:00

Owner

Copy Link

Copy Source

Audit Finding

Severity: Medium

Issue:
acquireTimestampLock() reads lock time, checks staleness, then writes — classic TOCTOU race. Two concurrent processes could both acquire the lock. MySQL/PostgreSQL advisory lock paths are correct but the fallback is unreliable.

Fix: Use atomic UPDATE with WHERE clause checking old value, then verify getAffectedRows() > 0.

Files: QueueProcessor.php

## Audit Finding **Severity:** Medium **Issue:** `acquireTimestampLock()` reads lock time, checks staleness, then writes — classic TOCTOU race. Two concurrent processes could both acquire the lock. MySQL/PostgreSQL advisory lock paths are correct but the fallback is unreliable. **Fix:** Use atomic UPDATE with WHERE clause checking old value, then verify `getAffectedRows()` > 0. **Files:** `QueueProcessor.php`

jmiller commented 2026-06-06 11:50:12 +00:00

Author

Owner

Copy Link

Copy Source

Branch created: feature/115-bug-race-condition-in-timestamp-based-qu

git fetch origin
git checkout feature/115-bug-race-condition-in-timestamp-based-qu

Branch created: [`feature/115-bug-race-condition-in-timestamp-based-qu`](https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/src/branch/feature/115-bug-race-condition-in-timestamp-based-qu) ```bash git fetch origin git checkout feature/115-bug-race-condition-in-timestamp-based-qu ```

jmiller referenced this issue from a commit 2026-06-06 14:33:22 +00:00

security: fix 9 security and critical bugs (#107-#115, #120)

jmiller closed this issue 2026-06-06 14:35:11 +00:00

Sign in to join this conversation.

Labels

Clear labels

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

pending: dependency

Blocked by another issue or external dependency

pending: deployment

Tested and approved, awaiting deployment to production

pending: design

Needs UI/UX or architecture design before implementation

pending: documentation

Feature works, needs documentation/wiki update

pending: feedback

Awaiting feedback or decision from stakeholder

pending: review

Implementation complete, awaiting code review

pending: testing

Feature implemented but not yet tested

priority: critical

Must fix immediately

priority: high

Should fix soon

priority: low

Nice to have

priority: medium

Fix when convenient

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

status: blocked

Waiting on external dependency

status: duplicate

Duplicate of another issue

status: in-progress

Being worked on

status: needs-review

Ready for review

status: wontfix

Will not be addressed

No labels

Type —

Status —

Priority —

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoJoomCross#115