RUSTSEC-2019-0001

Uncontrolled recursion leads to abort in HTML serialization

Issued
Package
ammonia (crates.io)
Type
Vulnerability
Aliases
Details
https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210
Patched
  • >=2.1.0
Keywords
  • stack-overflow
  • crash
Affected Functions
Version
ammonia::Document::to_string
  • <2.1.0
ammonia::Document::write_to
  • <2.1.0
ammonia::clean
  • <2.1.0

Description

Affected versions of this crate did use recursion for serialization of HTML DOM trees.

This allows an attacker to cause abort due to stack overflow by providing a pathologically nested input.

The flaw was corrected by serializing the DOM tree iteratively instead.

More