Closed Bug 335256 Opened 18 years ago Closed 7 years ago

Denial of Service through the setTimeout() JavaScript function (recursive setTimeout/setInterval)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1300659

People

(Reporter: roland.illig, Assigned: brendan)

References

Details

(Keywords: hang, testcase, Whiteboard: [sg:dos])

Attachments

(1 file)

testcase from comment 0
248 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.8) Gecko/20050512
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.8) Gecko/20050512

<html>
<head>
<script>
function bomb() {
        setTimeout("bomb()", 1000);
        setTimeout("bomb()", 1000);
}
</script>
</head>

<body onload="bomb()">
Please wait some seconds ... then, try to continue to use Mozilla.
</body>
</html>


Reproducible: Always

Steps to Reproduce:
1. save the text above to a file
2. load the file in Mozilla, Firefox, Konqueror or Internet Explorer. (Opera does not work.)
3. wait 10 seconds

Actual Results:  
Now it should be impossible to further click anywhere in the application window

Expected Results:  
alertYesNo("This JavaScript takes forever to compute. Continue?");
Assignee: dveditz → general
Group: security
Component: Security → JavaScript Engine
Product: Mozilla Application Suite → Core
QA Contact: seamonkey → general
Whiteboard: [sg:dos]
Version: unspecified → Trunk
Keywords: testcase
Keywords: hang

*** This bug has been marked as a duplicate of 261633 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Bug 261633 got morphed a little bit, re-opening to cover the more general issue.
Status: RESOLVED → UNCONFIRMED
Component: JavaScript Engine → DOM
Resolution: DUPLICATE → ---
Summary: Denial of Service through the setTimeout() JavaScript function → Denial of Service through the setTimeout() JavaScript function (recursive setTimeout/setInterval)
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: general → general
This bug blocks bug 30942 – Browser should remain responsive during most
infinite loops

I'm going to investigate what WebKit does (suppresses, IIRC) and imitate. This is one DoS/accident that we can control without breaking the web.

/be
Assignee: nobody → brendan
Wait, we do this already, right? Cc'ing bz.

/be
> Wait, we do this already, right?

Do what where?
What about just limiting the number of setInterval/setTimeout events that Firefox can manage? No sensible web page should ever want 1000 individual timers, I guess.

And if you find this guess too vague, maybe do an experiment through a User Experience program and record the highest number of timers that a website has ever needed. Then, after 3 months, look at the numbers, take the most sensible of them, multiply it by 10 and make this a fixed limit.
I believe this was fixed by bug 1300659 in FF52.
Status: NEW → RESOLVED
Closed: 18 years ago7 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: