Closed Bug 1732141 Opened 3 years ago Closed 3 years ago

Request loads forever if code is 101 or 304 and ct=application/pdf

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 92
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- fixed

People

(Reporter: jannis, Assigned: Snuffleupagus)

References

Details

(Keywords: parity-chrome)

Attachments

(2 files)

Link to GitHub pull-request: https://github.com/mozilla/pdf.js/pull/14217
44 bytes, text/x-github-pull-request
Details | Review
Link to GitHub master push: https://github.com/mozilla/pdf.js/commit/60ab751bb6f4814ef71f16c7d9f466d2eb7c6b1e
81 bytes, text/x-github-pull-request
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

Visit a URL that returns a response with status-code=101 or 304, content-type=application/pdf and a non-empty body.

Also works if the URL is loaded in an iframe:

Actual results:

The browser will try to load the response forever and the load event on the page will never fire.

Expected results:

The browser should abort loading/or finish loading (a response is received) and fire the load event on the page.

A (compromised) website A could use this to stop other websites, that include website A in an iframe, from ever loading successfully. If the other websites use the load event on the page to start some important code, it will never execute and cease to work.

Group: core-security → dom-core-security
Component: DOM: Networking → DOM: Core & HTML

What is the behavior when a page takes forever to load under other circumstances?

Stopping the outer page from loading sounds like a DOS at worst, though it also requires getting the victim page to embed you as a iframe.

I think this depends on the reasons why the page takes forever to load.
If I remember my testing correctly, for some incorrect (or incomplete) responses Firefox will time out eventually. (Maybe this is not the case, I do not have an example at the moment).
For other reasons (e.g., the web server is sleeping) the behavior is the same, but this is the only example I currently know of where the web server does not have to spend any resources on it (a sleeping web server cannot close the connection, as this will interrupt the load).

Maybe, it could also be used to exhaust the connection pool without spending server resources, but this is DOS as well.

See Also: → 1732199
Group: dom-core-security

Chrome apparently doesn't have this issue.

Keywords: parity-chrome
Status: UNCONFIRMED → NEW
status-firefox94: --- → affected
Ever confirmed: true

Changing severity to S2 because webpages may load forever because of this bug.

Severity: -- → S2
Priority: -- → P2

Since this issue is restricted to the mime type application/pdf and when the issue was reproduced, I saw the pdf viewer was loaded, do you think if there is something wrong in the pdf viewer?

Flags: needinfo?(bdahl)

This seems to be a timing issue in RangedChromeActions where the stream finishes before the viewer finishes loading and we add a listener for passive loading. Since the listener isn't added early enough we never send the message to the viewer to unblock on the load event. Note: things work correctly if you change the pref to pdfjs.disableStream to true which causes StandardChromeActions to be used.

I'm on PTO until Nov 1st, but if anyone wants to grab this we'll probably need to change something here.

Flags: needinfo?(bdahl)
Commit merged into master by GitHub Authored by Brendan Dahl (brendandahl)
Assignee: nobody → jonas.jenwald
Status: NEW → ASSIGNED
Depends on: 1739229
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: