This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 204 - Potential DoS in Recursive Calls
Summary: Potential DoS in Recursive Calls
Status: RESOLVED FIXED
Alias: None
Product: Validator
Classification: Unclassified
Component: check (show other bugs)
Version: 0.6.1
Hardware: All All
: P2 critical
Target Milestone: ---
Assignee: Terje Bless
QA Contact: qa-dev tracking
URL: http://www.w3.org/mid/20030226204438....
Whiteboard:
Keywords:
Depends on:
Blocks: 856
  Show dependency treegraph
 
Reported: 2003-04-19 23:46 UTC by Terje Bless
Modified: 2005-02-05 21:03 UTC (History)
0 users

See Also:

Attachments

Description Terje Bless 2003-04-19 23:46:10 UTC 
From: SteveC <steve@fractalus.com>

I looked for a while through the mailing list archive and couldn't find anything
like this so please don't flame me :-)

It appears possible to ask the validator to check itself, then check itself
checking itself, then check itself checking itself checking itself and so on
recursively.

I tried the first 6 levels of recursion and got a roughly linearly increasing
delay of about and extra second per recursion level. This makes it interesting
as a DoS attack as you could cause multiple amounts of load on the machine for
trivial increase in network traffic.

I don't know if it is actually calling itself, but the increasing load time
would seem to suggest it.
Comment 1 Terje Bless 2003-05-24 07:52:01 UTC 
Ain't gonna happen for 0.6.2; retargetting to 0.7.0.
Comment 2 Terje Bless 2004-09-01 13:01:42 UTC 
This should at the very least be investigated for possible fix for 0.7.0.
Comment 3 Terje Bless 2004-09-09 18:28:00 UTC 
All the ideas I can come up with for resolving this are crufty or incomplete,
so I'm leaving off touching this for 0.7.0 (feel free to jump in here if you
have a good idea). Retargetting and removing blocker.
Comment 5 Terje Bless 2005-02-05 21:03:10 UTC 
We now have a first approximation of a fix for this in CVS HEAD.