DoS (infinite loop) vulnerability in HtmlCleaner 

Issue date: 04-12-2018
Affects versions: 12.6, 12.5, 11.2, 10.2

Issue ID: SECURITY-69

Affected Product Version(s)
This vulnerability affects projects based on Hippo CMS prior to 12.6.0, 12.5.1, 11.2.10, 10.2.14 and earlier versions.

Severity 
Low

Description

An authorized user that adds a specific sequence of HTML tags to a rich text field can trigger a parsing bug in the HtmlCleaner implementation. This bug creates an endless loop when parsing the string. The result is 100% CPU usage on all cores and a very slow / unresponsive server.
See: HtmlCleaner Bug #191

This vulnerability is classified with severity low, since only an authorized user may submit data that would trigger this vulnerability.

The HtmlCleaner version in all supported CMS maintenance versions 12.6.0, 12.5.1, 11.2.10, and 10.2.14 has been updated to version 2.22.

Note that this introduces a small backwards incompatibility to the handling of HTML attributes by HtmlCleaner. In the past, the addAttribute() method would set the attribute regardless of whether the named attribute already existed. In the new version, HtmlCleaner will only set the attribute value if no value had been set previously. To work around this change, use the following pattern where addAttribute() is called:

    private void setAttribute(TagNode tagNode, String attrName, String attrValue) {
        if (tagNode.hasAttribute(attrName)) {
            tagNode.removeAttribute(attrName);
        }
        tagNode.addAttribute(attrName, attrValue);
    }

Instructions

Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

As mentioned above, project-specific code should be checked for usage of the HtmlCleaner addAttribute() method and adjusted to maintain consistent behavior.