[net] html: impose open element stack size limit

[Roland Shoemaker (Gerrit)]

Roland Shoemaker submitted the change

Change information

Commit message:

html: impose open element stack size limit

The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad

Reviewed-on: https://go-review.googlesource.com/c/net/+/709876

Reviewed-by: Damien Neil <dn...@google.com>

LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Files:

• M html/escape.go
• M html/parse.go
• M html/parse_test.go

Change size: S

Delta: 3 files changed, 43 insertions(+), 5 deletions(-)

Branch: refs/heads/master

Submit Requirements:

• Code-Review: +2 by Damien Neil
• TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: merged

Gerrit-Project: net

Gerrit-Branch: master

Gerrit-Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad

Gerrit-Change-Number: 709876

Gerrit-PatchSet: 3

Gerrit-Owner: Roland Shoemaker <rol...@golang.org>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>