Closed
Bug 1199946
Opened 9 years ago
Closed 9 years ago
Web Storage key lengths not counted against quota
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 929846
People
(Reporter: lokin-roman-1983, Unassigned)
Details
Attachments
(1 file)
568 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Steps to reproduce: Hello! I do not know English, so I write through a translator (my native language - Russian). Firefox does not check the length of the key in localStorage and sessionStorage (hereinafter Web Storage), as a result I can put to any number of data instead of the allowed 5 MB. But as the Web Storage data stored in RAM, the maximum size - it is all free memory (+SWAP). There is another side issue. I tested the technique on Linux Ubuntu 14 - when filling memory (+ SWAP, if available), the system hangs up tightly, you need to reboot. In OS Windows it better, Web Storage is no longer filled with about 2 GB (the system does not hang, but work in the browser becomes impossible). I put the script: every 10 milliseconds, he puts in the Web Storage 100 KB, ie, 10 Mb / s (can be more, but if the CPU load is greatly increased). It works in different versions that I tested, and Linux and in Windows. Such errors are suited for the program Bug Bounty? Actual results: 1. Bypass limit Web Storage 2. Hang System Expected results: 1. Correct handling of data when stored in Web Storage (limit of 5 MB)
Reporter | ||
Updated•9 years ago
|
Hardware: Unspecified → x86_64
Comment 1•9 years ago
|
||
Both aspects of this are essentially "denial of service" bugs that generally aren't part of the bounty program. The ability to fill someone's disk makes it not a simple transient DoS and harder for a non-technical person to recover from so we'd consider that fact. But unfortunately this issue has already been reported by someone else (bug 929846) and thus a bounty won't be considered. The fix is currently being testing in our Nightly release (Firefox 43).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Untriaged → DOM
Flags: sec-bounty-
Product: Firefox → Core
Resolution: --- → DUPLICATE
Summary: Web Storage → Web Storage key lengths not counted against quota
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•