Fix infinite loop in Lexer.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-12-22 08:21:52 +00:00 · 2013-10-27 21:41:08 -07:00 · 2013-10-27 21:41:08 -07:00 · 54477c172b
commit 54477c172b
parent e52d1fe310
4 changed files with 14 additions and 6 deletions
--- a/1
+++ b/1
@ -28,6 +28,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
  spaces and commas are not included as part of URL.  Thanks nAS for fixing.
 - Fix some bad interactions with %HTML.Allowed and injectors.  Thanks
  David Hirtz for reporting.
+- Fix infinite loop in DirectLex. Thanks Ashar Javed for reporting.

 4.5.0, released 2013-02-17
 # Fix bug where stacked attribute transforms clobber each other;
--- a/library/HTMLPurifier/Lexer/DirectLex.php
+++ b/library/HTMLPurifier/Lexer/DirectLex.php
@ -441,11 +441,12 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
        // space, so let's guarantee that there's always a terminating space.
        $string .= ' ';

-        while (true) {
-
-            if ($cursor >= $size) {
-                break;
+        $old_cursor = -1;
+        while ($cursor < $size) {
+            if ($old_cursor >= $cursor) {
+                throw new Exception("Infinite loop detected");
            }
+            $old_cursor = $cursor;

            $cursor += ($value = strspn($string, $this->_whitespace, $cursor));
            // grab the key
@ -463,7 +464,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
                if ($e) {
                    $e->send(E_ERROR, 'Lexer: Missing attribute key');
                }
-                $cursor += strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop
+                $cursor += 1 + strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop
                continue; // empty key
            }

--- a/tests/HTMLPurifier/HTMLT/style-onload.htmlt
+++ b/tests/HTMLPurifier/HTMLT/style-onload.htmlt
@ -0,0 +1,6 @@
+--INI--
+Core.CollectErrors = true
+--HTML--
+<style/onload    =    !-alert&#x28;1&#x29;>
+--EXPECT--
+--# vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/Lexer/DirectLexTest.php
+++ b/tests/HTMLPurifier/Lexer/DirectLexTest.php
@ -56,7 +56,7 @@ class HTMLPurifier_Lexer_DirectLexTest extends HTMLPurifier_Harness
        $expect[11] = array();

        $input[12] = '="" =""';
-        $expect[12] = array('"' => ''); // tough to say, just don't throw a loop
+        $expect[12] = array(); // tough to say, just don't throw a loop

        $input[13] = 'href="';
        $expect[13] = array('href' => '');