Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #9901
Closed
Open
Created Oct 05, 2013 by Trac@tracbot

DoS of TBB when no Content-Type header and more than 512 bytes of content are sent

Following a user question in #tor where the user couldn't open the URL http://cdimage.debian.org/debian-cd/7.1.0/i386/iso-dvd/MD5SUMS in TBB, I decided to investigate the problem by simulating a webserver with netcat. (The file loads fine in non-TBB Firefox; the problem exists in both TBB beta and alpha, presumably also in stable.) Here are my findings:

  • The above resource is delivered without a Content-Type header by cdimage.debian.org.

  • Upon retrieving the resource, Firefox displays a blank page and starts consuming 100% CPU (only one core on SMP systems) periodically, backing down for a few seconds every now and then.

  • When adding a Content-Type header to the server response, Firefox shows the file in the browser (text/plain) or displays the content type warning dialog (other content type), as expected.

  • One can remove all headers (not including of course "HTTP/1.0 200 OK") and the problem will still occur.

  • The problem stops occurring once 512 bytes or less of content (without headers and \n\n) are sent. The content will then be displayed as a text file in Firefox.

  • There is no significant change on the wire between the two cases -- the reply consists of two TCP packets broken up at the same point.

In a nutshell, service can be denied by crafting a special server response to an ordinary HTTP request. However, because Firefox only consumes 1 core and occasionally backs down shortly, the user will likely be able to recover from the situation by closing the problematic tab.

Trac:
Username: sqrt2

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking