From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.bugs Subject: bug#19565: Emacs vulnerable to endless-data attack (minor) Date: Mon, 07 Oct 2019 03:51:35 +0200 Message-ID: <874l0le314.fsf@gnus.org> References: <83a7ad3hlf.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="85103"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: Stefan Kangas , 19565@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Oct 07 03:52:13 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iHIC5-000Lyv-Jw for geb-bug-gnu-emacs@m.gmane.org; Mon, 07 Oct 2019 03:52:13 +0200 Original-Received: from localhost ([::1]:39944 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iHIC2-0006Bn-QG for geb-bug-gnu-emacs@m.gmane.org; Sun, 06 Oct 2019 21:52:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:41679) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iHIBv-0006Be-OL for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 21:52:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iHIBu-0003i2-Il for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 21:52:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:38220) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iHIBu-0003hy-G3 for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 21:52:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iHIBu-0002l8-B8 for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 21:52:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 07 Oct 2019 01:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19565 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19565-submit@debbugs.gnu.org id=B19565.157041310310581 (code B ref 19565); Mon, 07 Oct 2019 01:52:02 +0000 Original-Received: (at 19565) by debbugs.gnu.org; 7 Oct 2019 01:51:43 +0000 Original-Received: from localhost ([127.0.0.1]:47041 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHIBa-0002kb-JB for submit@debbugs.gnu.org; Sun, 06 Oct 2019 21:51:42 -0400 Original-Received: from quimby.gnus.org ([80.91.231.51]:53178) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHIBY-0002kS-M7 for 19565@debbugs.gnu.org; Sun, 06 Oct 2019 21:51:41 -0400 Original-Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iHIBT-0003uP-M7; Mon, 07 Oct 2019 03:51:38 +0200 In-Reply-To: <83a7ad3hlf.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 06 Oct 2019 20:32:28 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:168472 Archived-At: Eli Zaretskii writes: >> I think this affects more than just package.el. AFAICT, anywhere we >> use the url library, an endless data attack can get Emacs to fill up >> all available memory (wasting also bandwidth resources, of course). > > At which point the system will kill the Emacs process. Why is that a > problem we need to work, given that we already have at least some > protection against stack overflows and running out of memory? It's not something we have to do, but it would be nice to have some protection against this. >> For example, a new keyword argument :max-size, which would make it >> stop after having reached that many bytes. > > The Gnu Coding Standards frown on having arbitrary limits in a > program. So this could only work if we had some reasonable way of > computing a limit that is not arbitrary. I think it would perhaps make some sense to warn (or query) the user if you get more data than `large-file-warning-threshold'. I think it would be pretty trivial to implement -- at least in the new with-fetched-url interface, which I think is where this pretty theoretical problem is least theoretical, perhaps? On the other hand, I could see that in some ways it would be easier to implement in wait_reading_process_output: We could just maintain a byte counter in the process objects (if we don't do that already) and have a callback we call if that counter grows larger than `large-file-warning-threshold'. That way Emacs wouldn't be open to flooding from, say, rogue SMTP servers, either. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no