Closed Bug 326206 Opened 18 years ago Closed 1 year ago

XML parser chokes on extremely long attributes

Categories

(Core :: XML, defect)

defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: dveditz, Unassigned)

Details

(Keywords: hang, Whiteboard: [sg:dos])

Spun off from bug 319846 comment 2

As seen in bug 319846 extremely long attributes can DoS the XML parser. Nearly every time I broke in the debugger I was in little2_scanAtts (xmltok_impl.c). It appeared that when the current 4K chunk was exhausted the parser would start over again on that attribute with the next chunk added, so O((n^2)/4k)

Although we can sanitize stored data as in bug 319846, we can't always sidestep this issue since someone could send us a malicious XML file. If compressed it wouldn't be impractical to send the million or so characters that would be required.
Whiteboard: [sg:dos]
Severity: normal → critical
Keywords: hang
Anyone interested in looking into this?
Group: core-security

Hey Daniel,
Does this issue still occur for you or can it be closed?

Flags: needinfo?(dveditz)

I don't know: the expat project has fixed some DOS issues in the intervening years, but I can't find one mentioning attributes specifically. We'd have to create a test XML file with an attribute ~1M characters or more and see if we bog down.

Flags: needinfo?(dveditz)
QA Whiteboard: qa-not-actionable

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: critical → --

Let's just close this for now and somebody can file a new issue if they come across a test case.

Severity: -- → S3
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.