Inifinite loop in rcube_washtml->dumpHtml()

[rcubetrac]

Reported by flack on 17 May 2013 14:06 UTC as Trac ticket #1489110

On some messages in a user mailbox, the following error appears when opening them:

( ! ) Fatal error: Maximum function nesting level of '100' reached, aborting! in ./program/lib/Roundcube/rcube_washtml.php on line 289
Call Stack
#   Time    Memory  Function    Location
1   0.0001  645480  {main}( )   ../index.php:0
2   0.0299  2913480 include_once( './program/steps/mail/show.inc' ) ../index.php:285
3   0.0551  3334312 rcmail_output_html->send( ) ../show.inc:293
4   0.0551  3334392 rcmail_output_html->parse( )    ../rcmail_output_html.php:364
5   0.0565  3341976 rcmail_output_html->parse_xml( )    ../rcmail_output_html.php:504
6   0.0565  3342936 preg_replace_callback ( )   ../rcmail_output_html.php:804
7   0.0817  3430016 rcmail_output_html->xml_command( )  ../rcmail_output_html.php:804
8   0.0818  3431672 call_user_func ( )  ../rcmail_output_html.php:924
9   0.0818  3431728 rcmail_message_body( )  ../rcmail_output_html.php:924
10  0.1094  3523536 rcmail_print_body( )    ../func.inc:1125
11  0.1094  3524992 rcmail_wash_html( ) ../func.inc:713
12  0.1112  3677080 rcube_washtml->wash( )  ../func.inc:681
13  0.1242  3854200 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:362
14  0.1243  3855608 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:314
15  0.1243  3856488 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:305
16  0.1247  3858928 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:305
17  0.1247  3859904 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:305
18  0.1247  3861216 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:305
19  0.1270  3865872 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:305
20  0.1270  3866912 rcube_washtml->dumpHtml( )  ../rcube_washtml.php:305
[last line is then repeated another 80 times](the)

I have a sample message here, but since it contains private information, I don't want to put it on a public bug tracker. I can provide it on request, though

Migrated-From: http://trac.roundcube.net/ticket/1489110

[rcubetrac]

Comment by @alecpl on 17 May 2013 16:21 UTC

Please, send the message source to alec at alec dot pl.

[rcubetrac]

Milestone changed by @alecpl on 17 May 2013 16:21 UTC

later => 0.9.1

[rcubetrac]

Comment by @alecpl on 17 May 2013 17:05 UTC

Got it. The HTML code in the message is very bad. It contains ca. 150 nested tags. I suppose we could detect the limit and just skip the nested content making sure fatal error is not thrown, printing warning to the log instead.
If you want to display such messages you can just reconfigure PHP with higher nesting level limit.

[rcubetrac]

Comment by @alecpl on 17 May 2013 17:26 UTC

The option is xdebug.max_nesting_level or suhosin.executor.max_depth.

[rcubetrac]

Comment by flack on 22 May 2013 13:08 UTC

Ok, I added

ini_set('xdebug.max_nesting_level', 200);

to main.inc.php now, and for the moment, this is ok as a workaround. But it would be really good if this situation could be handled more gracefully by RC itself. I mean, the email's HTML was very bad, true, but it was not forged or tampered or anything, so in principle, this problem might occur in every installation, since you never know who sends you what. Maybe there could be some logic that throws an exception right before the max nesting level is reached, and then the message gets displayed as plain text instead of HTML? But that's only off the top of my head, I haven't looked at the actual RC code involved to see if such a thing is possible or desirable.

[rcubetrac]

Comment by @alecpl on 24 May 2013 07:21 UTC

Fixed in a899409.

[rcubetrac]

Status changed by @alecpl on 24 May 2013 07:21 UTC

new => closed

[rcubetrac]

Milestone changed by @alecpl on 24 May 2013 07:21 UTC

1.0-beta => 0.9.2

[rcubetrac]

Comment by jansegre on 4 Apr 2014 21:56 UTC

I've recently had this issue with roundcube 0.9.3 and tried upgrading to 0.9.5 and 1.0.0-rc, none of them solve this issue.

I took a look at patch that should fix the issue and I encountered this problem:
when the $level variable starts at 0, but at the current nest level at that point is clearly higher than 0.

To temporarily fix this problem I changed the signature of the function to:
private function dumpHtml($node, $level = 30)

And the problem was gone. (A brief binary search revealed that 17 was the smallest $level that fixed it, though it might not always be the case if my theory is correct)

I either overlooked something else or the patch doesn't exactly fix the issue.

I can forward the email that started this trouble, I just don't know where to send it to.

[rcubetrac]

Comment by @alecpl on 5 Apr 2014 07:26 UTC

Indeed. Fixed in c77a849.