Re: Re[2]: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug
> Yes, =A0we =A0all =A0know =A0that. =A0The =A0flaw here was not looping on=
itself a
> thousands =A0of =A0times, =A0wow. =A0It was a DOM implementation flaw.
The code created an oversized list, which does not seem to be that far
from creating an overly nested DOM tree, or drawing an oversized
CANVAS shape, or any other
creating-too-many-things-for-the-renderer-to-handle attacks... but
really, I'm not trying to be dismissive, just saying that a more
holistic approach might be more beneficial in the long run.
/mz
討論串 (同標題文章)
完整討論串 (本文為第 1 之 2 篇):