RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 04:48:14 +00:00
Code Issues Activity Actions

LibWeb: Mitigate the billion-laughs attack on CSS variables

Browse source 
We now stop processing variables once a length of 16384 tokens is
reached. This is an arbitrary number, but should be far beyond what
anyone will reasonably use, and small enough to not crash.
This commit is contained in:
Sam Atkins 2021-12-03 13:10:21 +00:00 committed by Andreas Kling
parent 67e1125b4c
commit 3df0bf2c8d
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Userland/Libraries/LibWeb/CSS/StyleComputer.cpp
View file

@ -459,7 +459,14 @@ bool StyleComputer::expand_unresolved_values(DOM::Element& element, Vector<Style
// This is a very naive solution, and we could do better if the CSS Parser could accept tokens one at a time.
// FIXME: Handle dependency cycles. https://www.w3.org/TR/css-variables-1/#cycles
// FIXME: Handle overly-long variables. https://www.w3.org/TR/css-variables-1/#long-variables
// Arbitrary large value chosen to avoid the billion-laughs attack.
// https://www.w3.org/TR/css-variables-1/#long-variables
const size_t MAX_VALUE_COUNT = 16384;
if (source.size() + dest.size() > MAX_VALUE_COUNT) {
dbgln("Stopped expanding CSS variables: maximum length reached.");
return false;
}
auto get_custom_property = [this, &element](auto& name) -> RefPtr<StyleValue> {
auto custom_property = resolve_custom_property(element, name);