Closed Bug 530037 Opened 15 years ago Closed 6 years ago

Firefox hangs on high-compression long gzipped HTML documents (gzip bombs)

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 233262

People

(Reporter: piotr, Unassigned)

Details

(Keywords: hang, Whiteboard: [sg:dos]) 

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5

Firefox is vulnerable to gzip-bombs. Imagine a very big and sparse (many spaces) HTML. When served using Content-encoding: gzip the actual size transfered is like 100 times slower than what browser wants to render. This means that after loading 1 MB from network (which usually takes seconds) browser renders next 100 MB of HTML document. As rendering takes longer than downloading the GUI is frozen and never lets you even close the faulty tab just after very first seconds.

Good thing is is does not eat RAM like Opera for example. On the other hand Opera have UI thread separated from rendering thread and let's you just close the tab freeing all allocated memory.

Reproducible: Always

Steps to Reproduce:
1. Go to http://lastlook.pl/~quake/die.php
2. Wait 10 seconds
Actual Results:  
Firefox stops responding.

Expected Results:  
Firefox should be still responsive and allow at least closing the tab.

Ideally it could detect gzip bombs and stop loading them after certain size (100 MB uncompressed HTML?).

When dealing with good files it should actually process them in chunks (for example max 10 MB plain -- which means 99% of webpages is one chunk) and wait till one chunk ends rendering before continuing downloading the file. This would make UI responsive at least between each 10 MB of plain source.

PHP source is: http://lastlook.pl/~quake/die.php.txt

The served file is: http://lastlook.pl/~quake/die.html.gz

To safely view it:

curl http://lastlook.pl/~quake/die.html.gz 2>/dev/null | gunzip | less
I'm fairly sure this is a dupe, we've talked about this problem. We're unlikely to fix this until we split the UI into its own thread or even its own process like Chrome.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
Whiteboard: [sg:dos]
Product: Firefox → Core
QA Contact: firefox → toolkit
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.