Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New denial of service attack! #280

Closed
marcusklaas opened this issue Apr 29, 2019 · 6 comments
Closed

New denial of service attack! #280

marcusklaas opened this issue Apr 29, 2019 · 6 comments
Assignees

Comments

@marcusklaas
Copy link
Collaborator

@marcusklaas marcusklaas commented Apr 29, 2019

Was going over the inline html scanning routines when I ran into some questionable scanning methods. In particular, parsing repetitions of "a <![CDATA[" will scale quadratically!

Haven't tested other parsers yet. It would probably be good to test them as well and let them know when they are also vulnerable.

@marcusklaas
Copy link
Collaborator Author

@marcusklaas marcusklaas commented Apr 29, 2019

md4c is vulnerable also

Loading

@marcusklaas
Copy link
Collaborator Author

@marcusklaas marcusklaas commented Apr 29, 2019

and so is cmark..

Loading

@mity
Copy link

@mity mity commented Apr 29, 2019

@marcusklaas Fixed in MD4C by remembering how far we have scanned for the expected HTML closer without finding it. Later attempts for re-scanning for the same closer then may fail early.

Note other raw HTML openers (e.g. HTML processing instructions or declarations) exhibited the same problem so you may need to check them too.

Loading

@marcusklaas
Copy link
Collaborator Author

@marcusklaas marcusklaas commented Apr 29, 2019

Thanks for the pointers! Good to have the parser people looking out for eachother ^^

The <? and <!A vulnerabilities I hadn't caught and by looking at the code, pulldown-cmark is vulnerable to these as well.

Loading

@oberien
Copy link
Contributor

@oberien oberien commented May 5, 2019

Is a <![CDATA[ just a special case of a <!A? Or is it actually due to containing <![CDATA[?

Loading

@mity
Copy link

@mity mity commented May 5, 2019

The specs sees them as separate cases because the rules for starting/ending them are different.

See https://spec.commonmark.org/0.29/#declaration versus https://spec.commonmark.org/0.29/#cdata-section.

That said, implementation can share some code, but obviously not all of it.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants