Fixed 30 second limit easily broken

I have found that it is easily possible to break the 30 limit. (I have tested this on two forums and will demonstrate below)

There is a small gap right after 30 second timer ends that a user can send as many post requests and possible and have them all posted. You don't need to send post requests. It is easily accomplished on a user's profile page because there is no time where after you post the button becomes deactivated.

Test for this bug :

This is not limited to any amount of posts or just to profile posts. This can be used for major spam.


XenForo developer
Staff member
This is fixed now for the next release. The issue was effectively an off-by-one issue where the DB would only update if the last action was older than <flood limit> + 1 second but other code would accept it at <flood limit> time, which meant that there was a position where a request would go through but the DB wouldn't be updated to reflect the new time.

So this has been fixed in two was: the off-by-one issue has been sorted but there's also a sanity check. If the code thinks you're flooding and no DB change has been made, it will force you to wait at least 1 second.

Very good catch here. Thanks! :)