Closed
Bug 1185476
Opened 9 years ago
Closed 8 years ago
Enforce max length for context text inputs
Categories
(Hello (Loop) :: Client, defect, P1)
Hello (Loop)
Client
Tracking
(Not tracked)
RESOLVED
WONTFIX
Iteration:
42.2 - Jul 27
People
(Reporter: mikedeboer, Unassigned)
Details
(Keywords: csectype-dos, sec-other)
Attachments
(1 file)
18.04 KB,
patch
|
standard8
:
feedback+
|
Details | Diff | Splinter Review |
For performance, usability and consistency we should limit the amount of characters in the following input fields: - room name - context URL - context comment - text chat input Note: since we're sending one big encrypted blob to the loop-server, the char limit is not enforced on the server side anymore! This opens up a client-side DOS attack vector. Sevaan, can you give us preferable maximum lengths for each of the text input areas that I mentioned above?
Flags: qe-verify+
Flags: needinfo?
Flags: firefox-backlog+
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(sfranks)
Comment 1•9 years ago
|
||
> - room name Can be arbitrarily capped. Room names trail off to elipses if they don't fit. Maybe 50 characters? > - context URL URLs can be super-long if there are various IDs attached. Maybe this one should be long...1000 characters? > - context comment I'm looking for a max of three lines worth of text. Can you help me identify what character limit that would be? > - text chat input I can see use cases where people paste text into chat, so this should be a long limit. Maybe 2500 characters? What is your opinion on the above?
Flags: needinfo?(sfranks)
Reporter | ||
Comment 2•9 years ago
|
||
Mark, what do you think of this approach?
Reporter | ||
Updated•9 years ago
|
Iteration: --- → 42.2 - Jul 27
Points: 2 → 3
Comment 3•9 years ago
|
||
Comment on attachment 8636584 [details] [diff] [review] Patch v1: define a max length for all flavors of input Review of attachment 8636584 [details] [diff] [review]: ----------------------------------------------------------------- The ideas here seem reasonable. ::: browser/components/loop/content/shared/js/utils.js @@ +96,5 @@ > + var ROOM_INPUT_LENGTHS = { > + roomName: 50, > + roomURL: 2048, > + roomDescription: 140, > + textChat: 2500 The textChat one doesn't seem used in this patch.
Attachment #8636584 -
Flags: feedback?(standard8) → feedback+
Comment 4•9 years ago
|
||
Not sure how this is a DoS bug, or if it is how it can be fixed in the client. If a single client can DoS the server then that's a problem. Anyone who is intentionally DOSing us can just use a modified client without these limits. Is there something about this problem that propagates to other clients, to recruit an unwitting distributed DoS on us?
Updated•9 years ago
|
Keywords: csectype-dos,
sec-other
Reporter | ||
Updated•8 years ago
|
Assignee: mdeboer → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(mdeboer)
Reporter | ||
Comment 5•8 years ago
|
||
Fx Hello not in product anymore, thus risk mitigated.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Updated•6 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•