pegasus
Well-known member
- Affected version
- 2.3.0 Beta 8
Currently there is no protection against scenarios that result in recursion when using the EMBED BB-Code, apart from maximum template depth which is hardcoded at 50.
The most egregious example is:
1. Write a post with content.
2. Edit the post, adding an EMBED that refers to the same post.
3. The result:
There are other, less obvious variations of this, such as posts that refer to other posts in long circuitous chains.
It is also possible to specially craft embeddable posts so that maximum depth is never reached, yet we run out the clock on PHP execution time.
It is also possible to make an extremely long posts by abusing hundreds of embeds side by side (no depth), if the target content is already sufficiently long. Using the default embed snippet length of 600, one can easily make a post containing several hundred thousand characters using fewer than 1k copy-pasted embeds.
The simplest way to fix all possible scenarios that exploit depth is for the EMBED BB-Code to render as an empty string when rendering from within EmbedController, and also when renderTagEmbed is already in the call stack.
For posts with hundreds of embeds, the BB-Code renderer should track how many embeds it has rendered for each content, and render any more than a potentially-configurable maximum value per content as an empty string.
Code:
ErrorException: Template error: [E_USER_WARNING] Max template execution depth reached src/XF/Template/Templater.php:1697The most egregious example is:
1. Write a post with content.
2. Edit the post, adding an EMBED that refers to the same post.
3. The result:
There are other, less obvious variations of this, such as posts that refer to other posts in long circuitous chains.
It is also possible to specially craft embeddable posts so that maximum depth is never reached, yet we run out the clock on PHP execution time.
It is also possible to make an extremely long posts by abusing hundreds of embeds side by side (no depth), if the target content is already sufficiently long. Using the default embed snippet length of 600, one can easily make a post containing several hundred thousand characters using fewer than 1k copy-pasted embeds.
The simplest way to fix all possible scenarios that exploit depth is for the EMBED BB-Code to render as an empty string when rendering from within EmbedController, and also when renderTagEmbed is already in the call stack.
For posts with hundreds of embeds, the BB-Code renderer should track how many embeds it has rendered for each content, and render any more than a potentially-configurable maximum value per content as an empty string.
Last edited:
