Closed
Bug 381183
Opened 18 years ago
Closed 8 years ago
Denial of Service based on XML Entity Million Laughs attack
Categories
(Core :: XML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 151380
People
(Reporter: rcannings, Unassigned)
References
()
Details
(Keywords: hang)
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a5pre) Gecko/20070518 Minefield/3.0a5pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a5pre) Gecko/20070518 Minefield/3.0a5pre
FF's XML parser allows for internal entity declaration (http://www.xml.com/pub/a/98/08/xmlqna2.html). One can make a small xml file, that when parsed by FF, grows into a files exponential to it's original size. This is call the "million laughs attack" (http://devcentral.f5.com/weblogs/macvittie/archive/2006/12/01/2517.aspx).
Clicking on http://ph4t.com/crash-ff.xml always causes FF on linux and windows to hang.
Additionally, I have experienced FF crashing regularly, but have not been able to reliably reproduce the crash or get a stack trace.
I labeled this as a security bug because some people consider DoSing apps as a security issue. However, I do *not* consider this issue to be critical by any means. I will attempt to debug this issue further to see if this leads to some sort of overflow.
Reproducible: Always
Steps to Reproduce:
1. load http://ph4t.com/crash-ff.xml in your browser
Actual Results:
FF hangs
Expected Results:
FF should not hang.
Comment 1•18 years ago
|
||
We don't consider hangs and "safe" crashes in web browsers to be security holes. "Sometimes it crashes" sounds suspicious, though.
Assignee: nobody → xml
Group: security
Severity: normal → critical
Component: Security → XML
Keywords: hang
Product: Firefox → Core
QA Contact: firefox → ashshbhatt
Updated•15 years ago
|
Assignee: xml → nobody
QA Contact: ashshbhatt → xml
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•