New issue
Advanced search Search tips

Issue 916515 link

Starred by 2 users

Issue metadata

Status: Untriaged
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Lack of depth limit while resolving the XML external entities

Reported by mar...@piosek.pl, Dec 19

Issue description

VULNERABILITY DETAILS
Chrome XML parser does not implements depth limit while resolving the XML external entities. This may lead to DoS issues [1].

[1] https://en.wikipedia.org/wiki/Billion_laughs_attack

VERSION
Chrome Version: 71.0.3578.98 stable
Operating System: macOS 10.14.2 

REPRODUCTION CASE
1. Open in Chrome any XML file with "billion laughs" payload (e.g. http://w00t.pl/1.xml or 1.xml file attached to this issue)

Result: XML file with "billion laughs" payload is processed.
Excepted result: Chrome should process XML entities only to specified depth. 

As example, opening the same file in Edge causes "XML5668: Exceeded maximum number of entity expansions" error.
 
1.xml
826 bytes View Download
Components: Blink>XML
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Lack of depth limit while resolving the XML external entities (was: Security: Lack of depth limit while resolving the XML external entities)
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Are-denial-of-service-issues-considered-security-bugs

"Denial of Service (DoS) issues are treated as abuse or stability issues rather than security vulnerabilities."
Labels: Needs-Triage-M71
Cc: phanindra.mandapaka@chromium.org
Labels: Needs-Feedback Triaged-ET
Thanks for the issue...

Tried to reproduce the issue on reported chrome version 71.0.3578.98 using Mac 10.14.0.Attaching screen-cast for reference.
Steps: 
------
1. Launched reported chrome 
2. Navigated the URL "http://w00t.pl/1.xml" and opened given xml file as per screen-cast
As we have observed continuously loading while navigating to http://w00t.pl/1.xml and observed errors on given xml 
 
@Reporter: Could you please check the attached screencast and let us know if we missed anything from our end.

Thanks.!
916515.mp4
2.2 MB View Download
Everything was done correctly on your side.

In my opinion the source problem is that the browser should not process such a file at all, however you can have a different view on this issue, of course. My recommendation is to modify the settings of the browser so that it finishes processing the file right after having achieved a specified level of the depth of XML entities, similarly to other browsers (see the example with Edge from the first record).
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 20

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: vamshi.kommuri@chromium.org
Labels: Needs-Feedback
@Reporter: From comment#4, it is understood that the issue seems to be a Feature request. Could you please confirm on the same. Your confirmation helps us to triage the issue further in a better way.

Thanks!
Labels: OS-Mac
From C#0...
> it is understood that the issue seems to be a Feature request

Yes
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 9

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Type-Bug Target-73 M-73 FoundIn-71 FoundIn-73 FoundIn-72 OS-Linux OS-Windows Pri-2 Type-Feature
Status: Untriaged (was: Unconfirmed)
Marking it as Untriaged as this is a Feature request. And adding appropriate labels. Requesting someone from Dev team to have a look into this. 

Thanks!

Sign in to add a comment