←back to thread

Google is killing the open web, part 2

(wok.oblomov.eu)
418 points akagusu | 9 comments | 17 Nov 25 15:41 UTC | HN request time: 0.404s | source | bottom
Show context
nwellnhof ◴[17 Nov 25 16:33 UTC] No.45955183[source]
Removing XSLT from browsers was long overdue and I'm saying that as ex-maintainer of libxslt who probably triggered (not caused) this removal. What's more interesting is that Chromium plans to switch to a Rust-based XML parser. Currently, they seem to favor xml-rs which only implements a subset of XML. So apparently, Google is willing to remove standards-compliant XML support as well. This is a lot more concerning.
replies(11): >>45955239 #>>45955425 #>>45955442 #>>45955667 #>>45955747 #>>45955961 #>>45956057 #>>45957011 #>>45957170 #>>45957880 #>>45977574 #
1. zetafunction ◴[17 Nov 25 17:16 UTC] No.45955667[source]
https://issues.chromium.org/issues/451401343 tracks work needed in the upstream xml-rs repository, so it seems like the team is working on addressing issues that would affect standards compliance.

Disclaimer: I work on Chrome and have occasionally dabbled in libxml2/libxslt in the past, but I'm not directly involved in any of the current work.

replies(2): >>45955710 #>>45956175 #
2. Ygg2 ◴[17 Nov 25 17:20 UTC] No.45955710[source]
Wait. They are going along with a XML parser that supports DOCTYPES? I get XSLT is ancient and full of exploits, but so is DOCTYPE. Literally poster boy for billion laughs attack (among other vectors).
replies(3): >>45955868 #>>45956180 #>>45956321 #
3. mananaysiempre ◴[17 Nov 25 17:35 UTC] No.45955868[source]
You don't need DOCTYPE for that, you can put an ENTITY declaration straight in your source file ("internal subset") and the XML spec it needs to be processed. (I seem to recall someone saying that Adobe tools are fond of putting those in their exported SVG files.)
4. inejge ◴[17 Nov 25 18:07 UTC] No.45956175[source]
I hope they will also work on speeding it up a bit. I needed to go through 25-30 MB SAML metadata dumps, and an xml-rs pull parser took 3x more time than the equivalent in Python (using libxml2 internally, I think.) I rewrote it all with quick-xml and got a 7-8x speedup over Python, i.e., at least 20x over xml-rs.
replies(1): >>45957967 #
5. fabrice_d ◴[17 Nov 25 18:07 UTC] No.45956180[source]
The billion laughs attack has well known solutions (basically, don't recurse too deep). It's not a reason to not implement DOCTYPE support.
replies(1): >>45963054 #
6. Mikhail_Edoshin ◴[17 Nov 25 18:22 UTC] No.45956321[source]
The billion laughs bug was fixed in libxml2 in 2008. (As far as I understand in .Net this bug was fixed in 2014 with .Net 4.5.2. In 2019 a bug similar to "billion laughs" was found in Go YAML parser although it was explicitly mentioned and forbidden by YAML specs. Among other products it affected Kubernetes.)

Other vectors probably mean a single vector: external entities, where a) you process untrusted XML on server and b) allow the processor to read external entities. This is not a bug, but early versions of XML processors may lack an option to disallow access to external entities. This also has been fixed.

XSLT has no exploits at all, that is no features that can be misused.

replies(1): >>45963101 #
7. nwellnhof ◴[17 Nov 25 20:34 UTC] No.45957967[source]
Python ElementTree uses Expat, only lxml uses libxml2. Right now, I'm working on SIMD acceleration in my not yet released, GPL-licensed fork of libxml2. If you have lots of character data or large attribute values like in SVG, you will see tremendous speed improvements (gigabytes per second). Unfortunately, this is unlikely to make it into web browsers.
8. Ygg2 ◴[18 Nov 25 09:25 UTC] No.45963054{3}[source]
> The billion laughs attack has well known solutions (basically, don't recurse too deep)

You can then recurse wide. In theory it's best to allow only X placeables of up to Y size.

The point is, Doctype/External entities do a similar thing to XSLT/XSD (replacing elements with other elements), but in a positively ancient way.

9. Ygg2 ◴[18 Nov 25 09:35 UTC] No.45963101{3}[source]
> Other vectors probably mean a single vector: external entities,

XXE injection (which comes in several flavors), remote DTD retrieval, and quadratic blowup (a sort of twin to the billion laughs attack).

You aren't wrong though. They all live in <!DOCTYPE definition. Hence, my puzzlement.

Why process it at all? If this is as security focused as Google claims, fill the DOCTYPE with molten tungsten and throw it into the Mariana Trench. The external entities definition makes XSLT look well designed in comparison.