DoS: Deeply nested kbd's hangs firefox


(PJH) #1

WARNING: Don’t go to the example post here unless you want your instance of Firefox to hang (starting a second instance with no-remote -ProfileManager will allow you view the problem if FF is your only broswer) or unless you’re using a browser known not to hang. All URL’s in this post are deliberately defanged so they don’t autolink to prevent accidental activation.


Deeply nested kbd tags irreparably hang Firefox (known versions 30, 31 and 34; 32,33 suspected) to the point where the browser process has to be killed (and the tab explicitly not reloaded in order for the next incarnation to work.)

Known not to hang ( Login to your account - What the Daily WTF?): Chrome 36, IE10, Safari 5 Win, Konqueror,

Egregious post:  Firefox Users Can't Keep Up, all your grumpy cats are mine. - What the Daily WTF?

Experimentation by a user ( HTML tag abuse thread - What the Daily WTF?) indicates that around 30 levels is sufficient to hang FF.

I’ve tried experimenting with CSS to try hiding some of the styling with the assumption that it was the problem but without luck:

p > kbd {
//    background-color: #FFF; // for hinting while messing around...
    kbd {
//        background-color: #DDD;
        > kbd {
//            background-color: #BBB;
            > kbd {
//                background-color: #990;
                > kbd {
//                    background-color: #FFF;
                    border: none;
                    box-shadow: none;
                    margin: none;
                    padding: none;
                    font:;
                }
            }
        }
    }
}

(Jens Maier) #2

Would this mitigate the problem?

kbd kbd { display: none; }

(Tuan Anh Tran) #3

Your forum has live up to its name.


(PJH) #4

hmm - didn’t think of that …


(PJH) #5

Yup:

p > kbd {
    kbd {
        > kbd {
            > kbd {
                > kbd {
                    display:none;
                }
            }
        }
    }
}

still allows for some creativity, but stops FF hanging - at least on my machine…


(Jens Maier) #6

Don’t use the > selector, or this can still be abused.

<kbd>**<kbd>**<kbd>**<kbd> etc... </kbd>**</kbd>**</kbd>**</kbd>

You can nest these infinitely, and kbd > kbd would never match because each <kbd> has a <strong> as parent.


(PJH) #7

Testing would suggest otherwise. With the above 4-levels deep CSS implemented:


Edit: View Source:


(PJH) #8

Ah - I see the problem - HTML and Markup not playing happily together so not creating the problem indicated. Specifying all in HTML demonstrates it:


(PJH) #9
p kbd {
    kbd {
        kbd {
            kbd {
                kbd {
                    display:none;
                }
            }
        }
    }
}

fixes that one - any other potential holes?


(Jens Maier) #10

Can’t think of anything else right now.


(Sam Saffron) #11

@eviltrout this is a timebomb, you can basically crash firefox with this. Can you get something in place here.

cc @awesomerobot


(PJH) #12

A more generic solution has been proposed which appears to work:

 div.cooked * * * * * * * * * * {display:none;}

Firefox Users Can't Keep Up, all your grumpy cats are mine. - What the Daily WTF?)


(Kris) #13

kbd * {display: none; } should do it, no? Is there really any markup that should be allowed inside of kbd?


(Kris) #14

Actually I think I like kbd * * better, one level of nested markup is fine.


(PJH) #15

I hope it could be overridden locally with a rule such as I suggested?


(Kris) #16

Yeah, if you really wanted to support all that nesting you could

kbd * * { display: inline-block; }
div.cooked * * * * * * * * * * { display:none; }

in the CSS for your site


(PJH) #17

Ta. I know that lot like playing, so I’d like to give them some leeway to be creative while not breaking things for everyone else…


(Robin Ward) #18

I tested it out and the CSS seems to work great @awesomerobot.

I’ve committed it to master:

https://github.com/discourse/discourse/commit/e940723d998f3db6797aff993b4e170d7564c638


(Jeff Atwood) #19

This topic was automatically closed after 24 hours. New replies are no longer allowed.