[tor-bugs] #9901 [TorBrowserButton]: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of content are sent
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jan 20 10:15:26 UTC 2014
#9901: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of
content are sent
----------------------------------+---------------------------
Reporter: sqrt2 | Owner: mikeperry
Type: defect | Status: reopened
Priority: normal | Milestone:
Component: TorBrowserButton | Version:
Resolution: | Keywords: tbb-usability
Actual Points: | Parent ID:
Points: |
----------------------------------+---------------------------
Comment (by gk):
Again useful comments from the diffs:
{{{
You can't bypass exception logging in JavaScript using null.
{{{
ACString getTypeFromURI (in nsIURI aURI)
}}}
And you can't return null, it will be converted to ACString and passed to
core as content type. That means you passes non empty content type for any
case even if string is empty, and if code nothing knows about this type it
going to do something bad.
}}}
{{{
> you passes non empty content type for any case even if string is empty
Or content type is empty actually, and if firefox was build with debug
enabled then
{{{
if (SniffURI(aRequest)) {
NS_ASSERTION(!mContentType.IsEmpty(),
"Content type should be known by now.");
return;
}
}}}
triggered.
Test it.
}}}
{{{
Can you explain any profit to have remotely triggerable hang? Is it worth
of suppressing for one logged exception?
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9901#comment:73>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list