1348578 - Denial Of Service loading a 215MB XML file

Status: RESOLVED DUPLICATE of bug 151380

(Core :: XML, defect, P3)

Description

[Dhiraj Mishra]

Attachment: poc.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170303012758

Steps to reproduce:

Product affected : FF 52.0 
User Agent :	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
OS :	Linux 4.4.0-64-generic



Actual results:

Steps to Reproduce :
1. Open index.html 
Trying using Mozilla.

It's a Denial of Service attack so not marking it has a security Bug.

Comment 1

[Andrew Overholt [:overholt]]

Peter or Henri, do you think there's anything we can/should do here to mitigate things?

Comment 2

[Henri Sivonen (:hsivonen)]

This is a slight variation of https://en.wikipedia.org/wiki/Billion_laughs_attack . I'm a bit surprised that we don't already mitigate this.

The easiest fix would be to be non-conforming and not support internal entity declarations from non-chrome URLs. But I'm sure there has to be some content out there that uses internal entity declarations in small amounts just because it's supposed to work (see. "Why Specs Matter").

CCing annevk for an opinion on how non-conforming we should dare to be.

I'm going to look at the expat source next to see about mitigation opportuntities.

Comment 3

[Henri Sivonen (:hsivonen)]

Looks like the person who appears to be the maintainer of expat has been seeking funding for by-default protection against billion laughs as recently as August this year:
https://www.xml.com/news/2017-08-expat-224-released/