Open Bug 2010288 Opened 11 hours ago Updated 1 hour ago

Update error_verifier for new values of XML_Error to fix XML DoS crashes

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

People

(Reporter: mccr8, Assigned: mccr8)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-dos, sec-low)

Crash Data

Attachments

(1 file)

Bug 2010288 - Update the XML parser's error_verifier method.
48 bytes, text/x-phabricator-request
Details | Review

error_verifier, which was written in 2021, assumes that XML_ERROR_INVALID_ARGUMENT is the largest possible value of XML_Error and crashes if you get something larger. However, newer versions of expat added a few new values. One of them, XML_ERROR_AMPLIFICATION_LIMIT_BREACH, is returned when you trigger the DoS protection that has been added.

I verified that the "classic XML DoS" test cases in bug 616361 and bug 1192544 are tripping XML_ERROR_AMPLIFICATION_LIMIT_BREACH, and thus fixing error_verifier is enough to stop those test cases from triggering. Of course, this also means that our current behavior is less bad for those bugs than originally filed, because we don't just eat up all of your memory. As expected, the newer test case in bug 1954018 still crashes without tripping the amplification limit breach, on our current 2.6.4. In fact, those test cases don't seem to trigger XML_ERROR_AMPLIFICATION_LIMIT_BREACH so I'm not sure how exactly they are handled.

Blocks: 616361
Blocks: 1192544

[@ error_verifier ] is the crash signature. The volume is rather low, with only about 70 in the last 6 months.

Crash Signature: [@ error_verifier ]

Three new enum values have been added since this was last updated.

The upgrade to 2.7.3 doesn't add any new cases to this type.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: