W3C home > Mailing lists > Public > public-html@w3.org > July 2009

Re: Safe ways of implementing limits on buffer sizes in the parser

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 2 Jul 2009 05:18:45 +0000 (UTC)
To: Henri Sivonen <hsivonen@iki.fi>
Cc: "public-html@w3.org WG" <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0907020517390.1060@hixie.dreamhostps.com>
On Mon, 8 Jun 2009, Henri Sivonen wrote:
> The spec allows implementations to place limits on the sizes of various things
> in HTML in order to avoid exhausting resources.
> There are various buffers in the HTML5 parser all of which a remote site can
> fill arbitrarily much by choosing a suitable input. Has someone already
> pondered the security implications of the following strategies? That is, are
> either of these safe?
>  1) Truncating a buffer from the end and leaving U+FFFD as the last character
> in the buffer.
>  1) Truncating a buffer from the beginning and leaving U+FFFD as the first
> character in the buffer.
> (It seems that dropping the buffer entirely is inconvenient e.g. when the
> buffer is an element name, although I guess it's an option for attribute
> values and element content.)

Both options seem reasonable; personally I implemented the former (though 
if I recall correctly, I used "... truncated", with a space, rather than 
U+FFFD, since that was it couldn't clash with a non-truncated attribute).

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 2 July 2009 05:19:20 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:47 UTC