[css-variables-1] Specify a required defense against the "billion laughs" attack. Fixes w3c#3733

tabatkins · tabatkins · commit 5e36a2e53f38 · 2019-03-15T11:44:50.000-07:00
diff --git a/css-variables-1/Overview.bs b/css-variables-1/Overview.bs
@@ -635,6 +635,51 @@ Variables in Shorthand Properties</h3>
 	if any of the longhand subproperties for that shorthand have <a>pending-substitution values</a>
 	then the serialized value of the shorthand must be the empty string.
 
+<h3 id=long-variables>
+Safely Handling Overly-Long Variables</h3>
+
+	Naively implemented,
+	''var()'' functions can be used in a variation of the "billion laughs attack":
+
+	<div class=example>
+		<pre lang=css>
+		.foo {
+			--prop1: lol;
+			--prop2: var(--prop1) var(--prop1);
+			--prop3: var(--prop2) var(--prop2);
+			--prop4: var(--prop3) var(--prop3);
+			/* etc */
+		}
+		</pre>
+
+		In this short example, ''--prop4''’s computed value is ''lol lol lol lol lol lol lol lol'',
+		containing 8 copies of the original ''lol''.
+		Every additional level added to this doubles the number of identifiers;
+		extending it to a mere 30 levels,
+		the work of a few minutes by hand,
+		would make ''--prop30'' contain <em>nearly a billion instances</em> of the identifier.
+	</div>
+
+	To avoid this sort of attack,
+	UAs must impose a UA-defined limit on the allowed length of the token stream
+	that a ''var()'' function expands into.
+	If a ''var()'' would expand into a longer token stream than this limit,
+	it instead makes the property it's expanding into
+	[=invalid at computed-value time=].
+
+	This specification does not define what size limit should be imposed.
+	However, since there are valid use-cases for custom properties that contain a kilobyte or more of text,
+	it's recommended that the limit be set relatively high.
+
+	Note: The general principle that UAs are allowed to violate standards due to resource constraints
+	is still generally true here;
+	a UA might, separately, have limits on how long of a custom property they can support,
+	or how large of an identifier they can support.
+	This section calls out this attack specifically
+	because of its long history,
+	and the fact that it can be done without any of the pieces
+	<em>seeming</em> to be too large on first inspection.
+
 
 
 <!--
@@ -706,5 +751,9 @@ Privacy and Security Considerations {#priv-sec}
 ===============================================
 
 This specification defines a purely author-level mechanism for passing styling information around within a page they control.
+As such, there are no new privacy considerations.
 
-As such, there are no new privacy or security considerations.
+[[#long-variables]] calls out a long-standing Denial-of-Service attack
+that can be mounted against "macro-expansion"-like mechanisms,
+such as the ''var()'' function,
+and mandates a defense against that attack.
