IETF Logo Mail Archive

Re: [Cellar] Security considerations: recursive elements

Steve Lhomme <slhomme@matroska.org> Sun, 21 January 2018 17:22 UTC

Return-Path: <slhomme@matroska.org>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA8D1270AB for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:22:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matroska-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MvXG3IgXqBDy for <cellar@ietfa.amsl.com>; Sun, 21 Jan 2018 09:22:36 -0800 (PST)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B98D2127023 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:22:36 -0800 (PST)
Received: by mail-pg0-x22d.google.com with SMTP id 136so5234593pgd.8 for <cellar@ietf.org>; Sun, 21 Jan 2018 09:22:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matroska-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zvIOLQQsNGhYvuKj+CfwJlSMRfvYd6KxNYMVYp8kKTo=; b=1voogSz5eSUpadzk/ZQ3hUTI6rcardNHEziCzdgBdl1eyQVF4mPJYh29K/FUdJcUcR f960lKxxkwQy216s+Ex8jTiqDMaxk4eG1CCzMGeiSr/p3H268yxZu7uYfdmImywa1OwV CJ1JL8k8sYZ9cJuosT7Ej5kc3CE7E62ADsXAKUtnlXfFmGMU2z8DOS36rES92If6HuXQ i9PxhK2WiEal2hp5oP3HjeUVGyVBk99j2QzDYHmo/gbYCecZvHjcfpaTB4pQRCkg0wmw vxjSmNJFzY4YDYDlsl10uABTo94z5KrdfnpFHaiB0n9/BOC3/lsY8nyF7AcfUV3QL3eN yx1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zvIOLQQsNGhYvuKj+CfwJlSMRfvYd6KxNYMVYp8kKTo=; b=kgy8fHCJDEX0alwSov49iHh1zX4NaAz2uWmsh0aBrBgg7kWnqrqzTUOCe3mPWRhooi b/Dyv13+4iQXDPt9M/DmUHbhbATAJx+N9gy1agB1QsOKVNXxkSev0aXWuqKaO8yzToOI H4d0Yk7OU6fqyncve4taxd+hLYj4Wyd734EkdR2vJLlwrmVPmbSSBy+hMMyCPdR4t5lW 3SvnnSnyMLcPjfiGiyt+UcuhQFNWk1+YWGm5e1ueopkR33MrDWX4kujW7WcRI8r6dN4q WHYotGKKLKfcycG6v/RP1iIfHEKOOcK7SKbcpD+HLVRkRanK3zKW1+h0ezozPYQOifF4 ZL9g==
X-Gm-Message-State: AKwxyteIAZvProD3sKsDqk7ZmjdGLsfix1W4ItQAePtshIay427WKOrG lC9R26MrVesgqGNZ8lXt106EgKzHWj3pzwwGwU6eAQ==
X-Google-Smtp-Source: AH8x224D9d6ug+HF/mOmv2+Z/vPgVB81J1RXKKZcOkGzqBVYsk9g/747e75wT9KbMF2m25BczBHA6243KLlYcJxbxHs=
X-Received: by 2002:a17:902:20c8:: with SMTP id v8-v6mr2214228plg.226.1516555356313; Sun, 21 Jan 2018 09:22:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.189.150 with HTTP; Sun, 21 Jan 2018 09:22:35 -0800 (PST)
In-Reply-To: <ef896210-ed4b-7afe-5e4f-bd99298acb51@mediaarea.net>
References: <CAHUoETL6+2XokNy5skB7dzjuzowoL8kV9gNLgd6HeJYiZcXpOQ@mail.gmail.com> <ef896210-ed4b-7afe-5e4f-bd99298acb51@mediaarea.net>
From: Steve Lhomme <slhomme@matroska.org>
Date: Sun, 21 Jan 2018 18:22:35 +0100
Message-ID: <CAOXsMFLyPSaTOp57o1Mt=GjT5JYi_c4X49B_JhsrNDrknyJ48w@mail.gmail.com>
To: Jerome Martinez <jerome@mediaarea.net>
Cc: Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/-B6oQUHVkURzN8IpRfJFj0xcPR0>
Subject: Re: [Cellar] Security considerations: recursive elements
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jan 2018 17:22:39 -0000

2018-01-17 22:01 GMT+01:00 Jerome Martinez <jerome@mediaarea.net>:
> On 17/01/2018 21:33, Michael Bradshaw wrote:
>>
>> [...]
>>
>> For example, something like "a parser SHOULD handle recursion up to X
>> levels deep, and MAY abort the parse if it reaches Y levels deep".
>>
>> Thoughts from others?
>
>
> an EBML parser can not dig in nested element without the corresponding
> dictionary (from DocType).
> So IMO it is not like XML or JSON, because XML or JSON parser tries to read
> the nested elements, but n EBML parser does not try to read any element not
> in the dictionary (so the limit is the dictionary, usually can not be
> provided by the attacker.
> It is lie JSON or XML only if the attacker can provide the dictionary.
>
> And the JSON spec specifies no limit:
> https://tools.ietf.org/html/rfc7159#section-9
> "An implementation may set limits on the maximum depth of nesting"
>
> There may be legitimate reason to have thousands of nesting level, and there
> is already a lot of debates about that with JSON (last tests I saw about
> that is ~100 levels for Ruby JSON default parser and ~1000 levels for Python
> JSON parser)
>
> So the sentence should split security issues, from the input (the file
> itself) or the dictionary (e.g. matroska specs):
> - a generic parser (reading the dictionary from input) MAY set limits on the
> maximum depth of nesting. An implementation MAY set limits on the length and
> contents.

Yes, we need an element to specify that.

> - a specialized parser (e.g. Matroska parser) SHOULD handle recursion up to
> the maximum nesting level provided by the supported dictionary of the

Yes, and going further is left to implementation.

Parsers will need to handle the case where the element is not defined
too. So they can fallback to the rule in case the maximum is reached.

> document, or 2 nesting levels, whichever is smaller (a specialized format
> could have only 1 nesting level but EBML needs at least 2, for DocType
> etc...). An alternative is to say to rely on the supported format security
> paragraph.
>
> I am not in favor of writing a number, because there is no good number to
> provide, it depends too much of the content, I am in favor of doing like
> JSON sentences (without any number, but explicitly saying that limits are
> expected).
> I hesitate in writing such kind of text in a "parser" section instead of
> security section, like the JSON RFC does.
>
>
> _______________________________________________
> Cellar mailing list
> Cellar@ietf.org
> https://www.ietf.org/mailman/listinfo/cellar



-- 
Steve Lhomme
Matroska association Chairman

v2.23.0 | Report a Bug | By Email