__/ [B Gruff] on Monday 12 December 2005 12:21 \__
> I've seen this reported in umpteen places.
>
> Now it's the Register:-
>
> http://www.theregister.co.uk/2005/12/12/firefox_history_file_bug/
>
> Now, however, there is a response on the Mozilla page.
> Sure, it's a bug - it can't deal properly with titles which are 2.5 million
> characters long(!), but where is this "Security bug" coming from?
> A bug - yes. - but "Security"?:-
>
> http://www.mozilla.org/security/history-title.html
> __________________________________________________
> Web pages with extremely long titles (the posted proof of concept used 2.5
> million characters) can cause Mozilla Firefox and the Mozilla Suite to
> appear to "hang" on startup when reading the browsing history data. The
> browser will eventually continue normally although this can take up to
> several minutes on a slower computer. The unresponsive starts will continue
> until the item with the long title is removed from the history file or
> eventually expires.
>
> We have investigated this issue and can find no basis for claims that
> variants of this denial-of-service attack can cause an exploitable crash,
> and no evidence for this claim has been offered. There does not appear to
> be any risk to users or their computers beyond the temporary
> unresponsiveness at startup.
>
> Should the user encounter this problem the slow starts can be fixed by
> deleting the item from history.
How does Internet Explorer deal with spammy sites whose titles are over
2.5 MB in size? If someone actually bothered to wait so long for the page
to load, I'd be surprised.
2.5 million characters? Is that insufficient? Who funds the identification
of such unimportant bottlenecks? And what type of useless discovery is
that?
I thought I was intolerant to dump Windows filesystems altogether for be-
ing unable to cope with paths longer than 255 characters. I hadn't even
realise the cause for that until Windows developers told me. This also
means that if I ever want to copy my files back to a Windows FS, I can't
(not trivially though). More annoyingly, Windows permits the creation of
long paths, but refuses to deal with them over the network. How
counter-intuitive. It has similar issues with unicode in filenames.
Roy
|
|