Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New denial of service attack! #280

Closed
marcusklaas opened this issue Apr 29, 2019 · 6 comments

Comments

@marcusklaas
Copy link
Collaborator

commented Apr 29, 2019

Was going over the inline html scanning routines when I ran into some questionable scanning methods. In particular, parsing repetitions of "a <![CDATA[" will scale quadratically!

Haven't tested other parsers yet. It would probably be good to test them as well and let them know when they are also vulnerable.

@marcusklaas

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 29, 2019

md4c is vulnerable also

@marcusklaas

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 29, 2019

and so is cmark..

@mity

This comment has been minimized.

Copy link

commented Apr 29, 2019

@marcusklaas Fixed in MD4C by remembering how far we have scanned for the expected HTML closer without finding it. Later attempts for re-scanning for the same closer then may fail early.

Note other raw HTML openers (e.g. HTML processing instructions or declarations) exhibited the same problem so you may need to check them too.

@marcusklaas

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 29, 2019

Thanks for the pointers! Good to have the parser people looking out for eachother ^^

The <? and <!A vulnerabilities I hadn't caught and by looking at the code, pulldown-cmark is vulnerable to these as well.

@oberien

This comment has been minimized.

Copy link
Contributor

commented May 5, 2019

Is a <![CDATA[ just a special case of a <!A? Or is it actually due to containing <![CDATA[?

@mity

This comment has been minimized.

Copy link

commented May 5, 2019

The specs sees them as separate cases because the rules for starting/ending them are different.

See https://spec.commonmark.org/0.29/#declaration versus https://spec.commonmark.org/0.29/#cdata-section.

That said, implementation can share some code, but obviously not all of it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.