If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Readily embeddable DOS: crafted infinite deflated content locks up Firefox

RESOLVED DUPLICATE of bug 831749

Status

()

Core
Networking: HTTP
--
critical
RESOLVED DUPLICATE of bug 831749
5 years ago
5 years ago

People

(Reporter: Cathy J. Fitzpatrick, Unassigned)

Tracking

({hang})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

5 years ago
+++ This bug was initially created as a clone of Bug #831749 +++

User Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121130221523

Steps to reproduce:

Currently, Firefox (tested on 17.0.1 on GNU/Linux) locks up when attempting to load deflated content when (a) the content does not end and (b) the content is sent in sufficiently large chunks.

For proof of concept, see http://shared.cathyjf.com/crafted-image.png which is a crafted "image" that should lock up Firefox within a couple seconds, rendering it nonresponsive to any further input. This image can be embedded on other pages, and then those pages will lock up Firefox as well. It's probably even more potent if you embed multiple of these images on one page.

One potential application of this issue is that anybody could post something like [img]http://shared.cathyjf.com/crafted-image.png[/img] on a forum and then any Firefox users viewing the forum would be locked up. Similarly, the crafted image could be embedded on any web site that allows Markdown, such as GitHub,

The crafted-image.png file is actually a trivial PHP program, specifically the following program:

<?php
header('Content-type: image/png');
$s = sprintf("%60000u\n", 0);
while (true) echo $s;
?>

To deploy on Apache, you would have to set something like this in the .htaccess file:

AddOutputFilterByType DEFLATE image/png



Actual results:

http://shared.cathyjf.com/crafted-image.png causes Firefox to lock up


Expected results:

Firefox should not lock up
(Reporter)

Comment 1

5 years ago
This bug was originally posted with the secret flag set; however, no one looked at it so clearly it's not considered very important. I would just remove the secret flag but that doesn't appear to be possible.
(Reporter)

Updated

5 years ago
Version: 17 Branch → unspecified
(Reporter)

Comment 2

5 years ago
This bug also exists on Firefox 18.
That is only a DOS, right ?
There are millions of ways to DOS a browser.....
I can't access bug 831749 but from the bug# it's only a few days old.
Component: General → Networking: HTTP
Keywords: hang
(Reporter)

Comment 4

5 years ago
Yes I realise it is not that serious, that is why I made this non private version. The original version should not have been private, but I am not able to remove the secret flag.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 831749
You need to log in before you can comment on or make changes to this bug.