1199946 - Web Storage key lengths not counted against quota

Status: RESOLVED DUPLICATE of bug 929846

(Core :: DOM: Core & HTML, defect)

Description

[lokin-roman-1983]

Attachment: index.html

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36

Steps to reproduce:

Hello! I do not know English, so I write through a translator (my native language - Russian).

Firefox does not check the length of the key in localStorage and sessionStorage (hereinafter Web Storage), as a result I can put to any number of data instead of the allowed 5 MB. But as the Web Storage data stored in RAM, the maximum size - it is all free memory (+SWAP).

There is another side issue. I tested the technique on Linux Ubuntu 14 - when filling memory (+ SWAP, if available), the system hangs up tightly, you need to reboot. In OS Windows it better, Web Storage is no longer filled with about 2 GB (the system does not hang, but work in the browser becomes impossible).

I put the script: every 10 milliseconds, he puts in the Web Storage 100 KB, ie, 10 Mb / s (can be more, but if the CPU load is greatly increased). It works in different versions that I tested, and Linux and in Windows.

Such errors are suited for the program Bug Bounty?


Actual results:

1. Bypass limit Web Storage
2. Hang System


Expected results:

1. Correct handling of data when stored in Web Storage (limit of 5 MB)

Comment 1

[Daniel Veditz [:dveditz]]

Both aspects of this are essentially "denial of service" bugs that generally aren't part of the bounty program. The ability to fill someone's disk makes it not a simple transient DoS and harder for a non-technical person to recover from so we'd consider that fact. But unfortunately this issue has already been reported by someone else (bug 929846) and thus a bounty won't be considered. The fix is currently being testing in our Nightly release (Firefox 43).