Lack of depth limit while resolving the XML external entities
Reported by
mar...@piosek.pl,
Dec 19
|
||||||||
Issue descriptionVULNERABILITY DETAILS Chrome XML parser does not implements depth limit while resolving the XML external entities. This may lead to DoS issues [1]. [1] https://en.wikipedia.org/wiki/Billion_laughs_attack VERSION Chrome Version: 71.0.3578.98 stable Operating System: macOS 10.14.2 REPRODUCTION CASE 1. Open in Chrome any XML file with "billion laughs" payload (e.g. http://w00t.pl/1.xml or 1.xml file attached to this issue) Result: XML file with "billion laughs" payload is processed. Excepted result: Chrome should process XML entities only to specified depth. As example, opening the same file in Edge causes "XML5668: Exceeded maximum number of entity expansions" error.
,
Dec 19
,
Dec 20
Thanks for the issue... Tried to reproduce the issue on reported chrome version 71.0.3578.98 using Mac 10.14.0.Attaching screen-cast for reference. Steps: ------ 1. Launched reported chrome 2. Navigated the URL "http://w00t.pl/1.xml" and opened given xml file as per screen-cast As we have observed continuously loading while navigating to http://w00t.pl/1.xml and observed errors on given xml @Reporter: Could you please check the attached screencast and let us know if we missed anything from our end. Thanks.!
,
Dec 20
Everything was done correctly on your side. In my opinion the source problem is that the browser should not process such a file at all, however you can have a different view on this issue, of course. My recommendation is to modify the settings of the browser so that it finishes processing the file right after having achieved a specified level of the depth of XML entities, similarly to other browsers (see the example with Edge from the first record).
,
Dec 20
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 9
@Reporter: From comment#4, it is understood that the issue seems to be a Feature request. Could you please confirm on the same. Your confirmation helps us to triage the issue further in a better way. Thanks!
,
Jan 9
From C#0...
,
Jan 9
> it is understood that the issue seems to be a Feature request Yes
,
Jan 9
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 10
Marking it as Untriaged as this is a Feature request. And adding appropriate labels. Requesting someone from Dev team to have a look into this. Thanks! |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by vakh@chromium.org
, Dec 19Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Lack of depth limit while resolving the XML external entities (was: Security: Lack of depth limit while resolving the XML external entities)