| Issue 83: | DOS vulnerability when using HTML5 Sanitization | |
| 1 person starred this issue and may be notified of changes. | Back to list |
What steps will reproduce the problem? 1. Have a attribute that is configured to use html5lib sanitization 2. Attempt to save the record with the HTML in the attached file What is the expected output? What do you see instead? Expected the record would be saved reasonably fast. The ruby process will peg the CPU, and the sanitization will take over 45 minutes, thus potentially downing any site that uses this configuration What version of the product are you using? On what operating system? This occurred in our production environment on Engine Yard, and I also reproduced it locally on: ruby 1.8.6 (2008-03-03 patchlevel 114) [universal-darwin9.0]
|
||||
,
Dec 04, 2008
I also reported this to the tracker for xss_terminate, the plugin we're using. http://code.google.com/p/xssterminate/issues/detail?id=4 |
||||
,
Dec 04, 2008
This problem affects the Python implementation too.
In the Python version, it looks like the problem is the line
if not re.match("^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$", style): return ''
which can seemingly take exponential time to run. (As an example, see
re.match("^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$", 'x: y; ' * 21)
which is really slow. The space at the end of the expression makes it not match the
pattern, and so it does a load of backtracking and takes forever.)
|
||||
,
Dec 04, 2008
Fixed in r1231. (I haven't checked all the other regexps to make sure similar problems couldn't come up in different situations, but I don't see anything very obvious.) Also, in r1232 I made some changes so that the sanitizer wouldn't immediately reject style attribute values that end with spaces (as in your example), since they seem like a perfectly legitimate thing to do.
Status: Fixed
|
||||
 Sign in to add a comment
|
