Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday June 23 2015, @02:31PM   Printer-friendly
from the simple-but-effective dept.

A Favicon bug lets Chrome and Firefox download huge favicon files to the point they crash the browser:

Andrea De Pasquale posted a tweet saying "Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by."

This creepy bug makes Chrome and Firefox download the huge favicon files to the point till they crash the browser. The silliest part is that the users are not at all aware of this download as it is all done in the background and who is truly to be blamed for this.

[...] Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit. As a matter of fact, the favicon files need not have to be .ico files. A lot of GIF, PNG or JPEG files are used with popular websites, and there are no limitations linked to the file's extension.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday June 23 2015, @03:19PM

    by Anonymous Coward on Tuesday June 23 2015, @03:19PM (#199921)

    Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit.

    It is only no surprise if you assume that programmers don't know to check their stuff.

    No limit given means you have to expect arbitrary large files and handle them gracefully. This can mean to ignore files that are too large to handle. It can not mean crashing. A crash always means that you made an assumption without checking that this assumption holds for your input. In this case, the assumption was that the favicon files will not be arbitrary large, and/or that it will always be a valid image file.

    External input must always be checked, especially if it comes from an untrusted source. And frankly, I'm surprised that downloading the favicon behaves differently than downloading anything else, because at the end the only difference between a favicon and another image is where it gets displayed.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 3, Interesting) by MichaelDavidCrawford on Tuesday June 23 2015, @03:43PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Tuesday June 23 2015, @03:43PM (#199932) Homepage Journal

    It is trivial to crash mobile safari, just spend ten minutes on Facebook.

    This is inexcusable.

    My MacBook pro just but the dust. For many reasons I may never purchase an apple product ever again.

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 2) by GungnirSniper on Tuesday June 23 2015, @03:49PM

      by GungnirSniper (1671) on Tuesday June 23 2015, @03:49PM (#199938) Journal

      Funny, Facebook doesn't kill my mobile browser but things with too many scripts will, like Reason.com. I wonder if that's intended to push us towards mobile (spyware) apps for each site.

    • (Score: 2) by Tramii on Tuesday June 23 2015, @04:16PM

      by Tramii (920) on Tuesday June 23 2015, @04:16PM (#199955)

      It is trivial to crash mobile safari, just spend ten minutes on Facebook.

      I just tested this on my iPhone and determined that it was not "trivial". I normally use the Facebook app and was curious to see if I could indeed crash Safari by clicking around on things for 10 minutes. Everything worked fine and mobile Safari did not crash. Of course, I don't have 10,000 friends constantly spamming me with worthless posts, so maybe that's the difference. ¯\_(ツ)_/¯

      • (Score: 2) by Freeman on Tuesday June 23 2015, @04:40PM

        by Freeman (732) on Tuesday June 23 2015, @04:40PM (#199966) Journal

        I tried totally ignoring facebook. I still do for the most part, but too many people that I actually care about use it. So, I end up checking it once every couple of months, sometimes more frequently. Plus, my wife is on it, nearly constantly, so I don't really need to check it very often.

        --
        Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:08PM

          by Anonymous Coward on Tuesday June 23 2015, @08:08PM (#200067)

          ...ignoring facebook. I still do for the most part, but too many people that I actually care about use it.

          Sounds like you care about the wrong kinds of people{grin}. I ignore fb and don't miss much of anything, my friends do the same.

      • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @04:57PM

        by Anonymous Coward on Tuesday June 23 2015, @04:57PM (#199978)

        Try Zerohedge [zerohedge.com] or the The Green Site [slashdot.org] on the latest generation of iPod if you want to experience a crash. Both dump more ad-tracking code than Safari can handle (or than anyone should have ever reasonably been expected to handle).

        • (Score: 2) by Tramii on Tuesday June 23 2015, @06:29PM

          by Tramii (920) on Tuesday June 23 2015, @06:29PM (#200019)

          Fair enough. But I don't think I would sweat it if my MP3 player choked while trying to render a bloated website.

    • (Score: 1, Funny) by Anonymous Coward on Tuesday June 23 2015, @08:43PM

      by Anonymous Coward on Tuesday June 23 2015, @08:43PM (#200091)

      Surely that's a feature, not a bug. ;P

  • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @03:44PM

    by Anonymous Coward on Tuesday June 23 2015, @03:44PM (#199933)

    And frankly, I'm surprised that downloading the favicon behaves differently than downloading anything else, because at the end the only difference between a favicon and another image is where it gets displayed.

    My experience is that very large images of all flavours tend to cause major problems in Firefox. Especially if they are scaled by the browser. I suspect you'd see the same problem if the image was displayed on the page. I guess the difference is that with favicons it is less obvious what's going on.