DoS of TBB when no Content-Type header and more than 512 bytes of content are sent
Following a user question in #tor where the user couldn't open the URL http://cdimage.debian.org/debian-cd/7.1.0/i386/iso-dvd/MD5SUMS in TBB, I decided to investigate the problem by simulating a webserver with netcat. (The file loads fine in non-TBB Firefox; the problem exists in both TBB beta and alpha, presumably also in stable.) Here are my findings:
-
The above resource is delivered without a Content-Type header by cdimage.debian.org.
-
Upon retrieving the resource, Firefox displays a blank page and starts consuming 100% CPU (only one core on SMP systems) periodically, backing down for a few seconds every now and then.
-
When adding a Content-Type header to the server response, Firefox shows the file in the browser (text/plain) or displays the content type warning dialog (other content type), as expected.
-
One can remove all headers (not including of course "HTTP/1.0 200 OK") and the problem will still occur.
-
The problem stops occurring once 512 bytes or less of content (without headers and \n\n) are sent. The content will then be displayed as a text file in Firefox.
-
There is no significant change on the wire between the two cases -- the reply consists of two TCP packets broken up at the same point.
In a nutshell, service can be denied by crafting a special server response to an ordinary HTTP request. However, because Firefox only consumes 1 core and occasionally backs down shortly, the user will likely be able to recover from the situation by closing the problematic tab.
Trac:
Username: sqrt2