Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2023-24038] Handler for style attribute is vulnerable to ReDoS #3

Open
ikedas opened this issue Jan 12, 2023 · 1 comment · May be fixed by #4
Open

[CVE-2023-24038] Handler for style attribute is vulnerable to ReDoS #3

ikedas opened this issue Jan 12, 2023 · 1 comment · May be fixed by #4

Comments

@ikedas
Copy link

ikedas commented Jan 12, 2023

Version: 1.06

Confirmed with Perl 5.16.3 & 5.32.1

This is a test script test.pl:

use HTML::StripScripts::Parser;
my $hss = HTML::StripScripts::Parser->new;
$hss->parse_file(shift);
print $hss->filtered_document;

With attached test data, it crashes as below:

$ perl test.pl test-1.html.txt
Complex regular subexpression recursion limit (32766) exceeded at /usr/share/perl5/vendor_perl/HTML/StripScripts.pm line 1602.
$ perl test.pl test-2.html.txt
Complex regular subexpression recursion limit (32766) exceeded at /usr/share/perl5/vendor_perl/HTML/StripScripts.pm line 1606.

test-1.html.txt
test-2.html.txt

@ikedas ikedas changed the title Handler for style attribute is vulnerable to reDoS [CVE-2023-24038] Handler for style attribute is vulnerable to ReDoS Jan 21, 2023
@ikedas
Copy link
Author

ikedas commented Jan 21, 2023

CVE-2023-24038 was assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant