timlegge
commented
8 months ago I just tested the POC with this patch. With the patch applied the POC has no impact and the script runs in less than a second.
root@5f384593a557:/app# time perl ahihi.pl Parsing took 0 secs
real 0m0.323s user 0m0.283s sys 0m0.040s
without the patch the script in the docker container eventually runs the host out of memory and is killed. My laptop became unresponsive about 2.5 minutes in until the script was killed..
root@5f384593a557:/app# time perl ahihi.pl Killed
real 2m59.416s user 1m49.402s sys 0m14.709s
Tim
as reported in https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md and https://github.com/doy/spreadsheet-parsexlsx/issues/103