-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Large nested blockquote consumes huge amount of memory and crashes PHP #681
Comments
Can reproduce as well. |
Thanks for reporting. Probably the best way to resolve this is for Parsedown to track and limit parse recursion depth to some sane limit that actual text isn't likely to reach, but also isn't going come close to consuming all of PHP's available memory. We can make this configurable in-case someone wants to lower or raise the limit depending on use cases. I think in principle you'd still need to have some submission limit when accepting user data though: an attacker could just submit the Probably the preferable thing for Parsedown to do if the recursion limit is exceeded is to cease sub-parsing and output potentially deeper remaining text as if it were regular text, though perhaps having Parsedown stop and report failure might be useful too? |
this has been reported here: #86 but never got merged.
👍
when converting markdown to html there is no failure condition, everything that is not valid markdown will remain plain text. So I think also in this case continuing without error is the best solution. |
9eb6a02 adds a recursion limiter to the |
My site has been experiencing attacks achieved by posting a large nested blockquote in the forum. It looks like this:
>>>>>>>>>>>>>>>>>>>>>>...
(about 10k+ blockquote markings in one line)This eventually exhausts all available memory and kills the PHP instance. I wonder if this is the nature of the parser or is it an issue?
This is sucessfully reproduced in the project demo (http://parsedown.org/demo). (sorry if this caused any damage)
The text was updated successfully, but these errors were encountered: