W3C home > Mailing lists > Public > public-css-archive@w3.org > June 2018

Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Jun 2018 18:19:30 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-396337601-1528741169-sysbot+gh@w3.org>
> The rationale is that NULLs in a stylesheet are not useful, and NULL code points could be an indication of a buffer overrun, or an attempt of an attack by inserting NULL code points into the stylesheet.

Or another possibility - that you're trying to exfiltrate a local file (like a sqlite database) by getting it parsed as CSS and hoping you can capture a useful chunk of it in a `url()` function pointing to a malicious server.

I'm in support of this. At *bare minimum*, I'd like to automatically invalidate any property or rule containing a NULL, but I'm okay with killing the entire stylesheet too.  Anything's better than Firefox's current "eh, just treat the property like it ended" behavior upon encountering a null while parsing a property.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-396337601 using your GitHub account
Received on Monday, 11 June 2018 18:19:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 11 June 2018 18:19:37 UTC