Bill Clark wrote:
On Thu, 15 Jul 2004 15:50:53 +1000, Tim Starling ts4294967296@hotmail.com wrote:
This is unacceptable because people want to use templates for things which are included many times in a single page, like superscript "Le" on fr, or fancy bullet points.
How about a MAX_INCLUDE_DEPTH then, instead?
The vulnerability with inclusion was pointed out when we had a hard-coded maximum depth of 1. As I explained in a comment in the source file:
#---------------------------------------- # Variable substitution O(N^2) attack #----------------------------------------- # Without countermeasures, it would be possible to attack the parser by saving a page # filled with a large number of inclusions of large pages. The size of the generated # page would be proportional to the square of the input size. Hence, we limit the number # of inclusions of any given page, thus bringing any attack back to O(N). #
-- Tim Starling