Closed Bug 1180976 Opened 9 years ago Closed 9 years ago

misuse of window.history.go() can result in denial-of-service/crash

Categories

(Core :: DOM: Core & HTML, defect)

39 Branch
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: zimoshe, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, stackwanted, testcase)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36 Steps to reproduce: 1. run firefox.exe 2. put in the address bar: data:text/html,<h1>helll...p</h1><script type="text/javascript">window.history.go()</script> (can be achieved by making a html to with <a href=... too) Actual results: firefox continuously reloading, fully locked down, consumption is up to 50% cpu, but it is still enough to lock the window as a whole and an deterministic (as of now) crash from time to time. Expected results: handling history.go() w/ no params properly; rapid reload mitigation
Component: Untriaged → DOM
Product: Firefox → Core
Blocks: eviltraps
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csectype-dos, hang
history.go() with no parameters is the same thing as location.reload(). Doing a bunch of location.reload() will in fact chew up CPU (in all browsers, last I checked; for example in Chrome it prevents even opening the developer tools on the page) but certainly shouldn't cause crashes. Do you have the incident IDs from about:crashes?
Flags: needinfo?(zimoshe)
Unlimited reload works fine in 47.0a1 (2016-02-08) Win10.
Status: NEW → UNCONFIRMED
Ever confirmed: false
Keywords: crash, hangstackwanted, testcase
Summary: misuse of window.history can result in denial-of-service/crash → misuse of window.history.go() can result in denial-of-service/crash
Considering needinfo was set 7 months ago -> incomplete. We can reopen if/when we have more details.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.