Bug 184542

Summary: CSS variables (custom properties) bug & a potential crash
Product: WebKit Reporter: Roman Komarov <kizmarh>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Major CC: ahmad.saleem792, ap, bfulgham, emilio, jonlee, justin_michaud, koivisto, rniwa, simon.fraser, twilco.o, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari 11   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 190039    
Bug Blocks:    
Attachments:
Description Flags
Crash page none

Roman Komarov
Reported 2018-04-12 09:03:14 PDT
Created attachment 337803 [details] Crash page Steps to reproduce: Go to https://codepen.io/kizu/pen/MVRRMq (I have managed to reproduce both the bug and the crash both on desktop and mobile safari) In every other browser (including Chrome) the header should have a lime background, but in Safari it gets the pink one. Its also possible to cause this page to crash when creating circularity (uncomment the commented line in the above example, or go to https://codepen.io/kizu/pen/OvGYXx, or open an attached page), which is probably related to the above bug as every other browser handle this without crashing (and properly displaying pink background as --foo becomes invalid). Due to crash being caused by really short CSS string which is possible to pass just as a style attribute to an HTML element, I think it could be really dangerous.
Attachments
Crash page (395 bytes, text/html)
2018-04-12 09:03 PDT, Roman Komarov 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Roman Komarov
Comment 1 2018-04-12 09:12:12 PDT
Found the minimal CSS that causes the crash: *{--:var(---,var(--))}
Alexey Proskuryakov
Comment 2 2018-04-12 09:52:58 PDT
Looks like infinite recursion. Not sure if the crash and the bug are closely enough related to track in one issue.
Radar WebKit Bug Importer
Comment 3 2018-04-12 09:53:21 PDT
<rdar://problem/39384155>
Roman Komarov
Comment 4 2018-04-12 10:12:50 PDT
Yes, not sure if they related, but seem to be in both cases related to the variable's fallback, but feel free to split into a new one anyway.
Roman Komarov
Comment 5 2018-10-03 07:14:23 PDT
Any news about this? I find that having a case where 22-characters if CSS cause a crash to be rather dangerous, as it could be possible to use it as an attack, by inserting it somewhere where you have an access to CSS/HTML, and via it basically disabling the browsing experience for anyone using Safari. Also, a question: is it something that would be safe to write about in social networks, so people would know that this is possible and could potentially protect themselves by stripping CSS variables from any user-generated fields, and also as an interesting anecdote about the circularity in CSS?
Tyler Wilcock
Comment 6 2020-10-03 22:07:04 PDT
I can't reproduce this in Safari Version 14.0 (15610.1.28.1.9, 15610). I get a lime green background, and no crash from the Codepen nor the minimal CSS you've provided. Can you confirm whether or not this is still an issue?
Ahmad Saleem
Comment 7 2022-08-20 17:35:18 PDT
I am not able to reproduce any crash with test case in Safari 15.6.1 and Safari Technology Preview 151 but I don't get "Lime" background but light reddish / pinkish background and it is same as other browsers (Chrome Canary 106 and Firefox Nightly 105). Please mark this bug accordingly. Thanks!
Note You need to log in before you can comment on or make changes to this bug.