381183 - Denial of Service based on XML Entity Million Laughs attack

Status: RESOLVED DUPLICATE of bug 151380

(Core :: XML, defect)

Description

[rich cannings]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a5pre) Gecko/20070518 Minefield/3.0a5pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a5pre) Gecko/20070518 Minefield/3.0a5pre

FF's XML parser allows for internal entity declaration (http://www.xml.com/pub/a/98/08/xmlqna2.html). One can make a small xml file, that when parsed by FF, grows into a files exponential to it's original size. This is call the "million laughs attack" (http://devcentral.f5.com/weblogs/macvittie/archive/2006/12/01/2517.aspx).

Clicking on http://ph4t.com/crash-ff.xml always causes FF on linux and windows to hang. 

Additionally, I have experienced FF crashing regularly, but have not been able to reliably reproduce the crash or get a stack trace.

I labeled this as a security bug because some people consider DoSing apps as a security issue. However, I do *not* consider this issue to be critical by any means. I will attempt to debug this issue further to see if this leads to some sort of overflow.

Reproducible: Always

Steps to Reproduce:
1. load http://ph4t.com/crash-ff.xml in your browser
Actual Results:  
FF hangs

Expected Results:  
FF should not hang.

Comment 1

[Jesse Ruderman]

We don't consider hangs and "safe" crashes in web browsers to be security holes.  "Sometimes it crashes" sounds suspicious, though.