Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cpython
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
cpython
Commits
4e9cefaf
Commit
4e9cefaf
authored
Dec 05, 2014
by
Benjamin Peterson
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)
parent
258f3f0d
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
36 additions
and
3 deletions
+36
-3
Lib/test/test_xmlrpc.py
Lib/test/test_xmlrpc.py
+22
-1
Lib/xmlrpc/client.py
Lib/xmlrpc/client.py
+11
-2
Misc/NEWS
Misc/NEWS
+3
-0
No files found.
Lib/test/test_xmlrpc.py
View file @
4e9cefaf
...
...
@@ -776,7 +776,7 @@ class GzipServerTestCase(BaseServerTestCase):
p
.
pow
(
6
,
8
)
p
(
"close"
)()
def
test_g
s
ip_response
(
self
):
def
test_g
z
ip_response
(
self
):
t
=
self
.
Transport
()
p
=
xmlrpclib
.
ServerProxy
(
URL
,
transport
=
t
)
old
=
self
.
requestHandler
.
encode_threshold
...
...
@@ -790,6 +790,26 @@ class GzipServerTestCase(BaseServerTestCase):
self
.
requestHandler
.
encode_threshold
=
old
self
.
assertTrue
(
a
>
b
)
class
GzipUtilTestCase
(
unittest
.
TestCase
):
def
test_gzip_decode_limit
(
self
):
max_gzip_decode
=
20
*
1024
*
1024
data
=
b'
\
0
'
*
max_gzip_decode
encoded
=
xmlrpclib
.
gzip_encode
(
data
)
decoded
=
xmlrpclib
.
gzip_decode
(
encoded
)
self
.
assertEqual
(
len
(
decoded
),
max_gzip_decode
)
data
=
b'
\
0
'
*
(
max_gzip_decode
+
1
)
encoded
=
xmlrpclib
.
gzip_encode
(
data
)
with
self
.
assertRaisesRegexp
(
ValueError
,
"max gzipped payload length exceeded"
):
xmlrpclib
.
gzip_decode
(
encoded
)
xmlrpclib
.
gzip_decode
(
encoded
,
max_decode
=-
1
)
#Test special attributes of the ServerProxy object
class
ServerProxyTestCase
(
unittest
.
TestCase
):
def
setUp
(
self
):
...
...
@@ -990,6 +1010,7 @@ def test_main():
try:
import gzip
xmlrpc_tests.append(GzipServerTestCase)
xmlrpc_tests.append(GzipUtilTestCase)
except ImportError:
pass #gzip not supported in this build
xmlrpc_tests.append(MultiPathServerTestCase)
...
...
Lib/xmlrpc/client.py
View file @
4e9cefaf
...
...
@@ -49,6 +49,7 @@
# 2003-07-12 gp Correct marshalling of Faults
# 2003-10-31 mvl Add multicall support
# 2004-08-20 mvl Bump minimum supported Python version to 2.1
# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability
#
# Copyright (c) 1999-2002 by Secret Labs AB.
# Copyright (c) 1999-2002 by Fredrik Lundh.
...
...
@@ -1017,10 +1018,13 @@ def gzip_encode(data):
# in the HTTP header, as described in RFC 1952
#
# @param data The encoded data
# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
# values for unlimited decoding
# @return the unencoded data
# @raises ValueError if data is not correctly coded.
# @raises ValueError if max gzipped payload length exceeded
def
gzip_decode
(
data
):
def
gzip_decode
(
data
,
max_decode
=
20971520
):
"""gzip encoded data -> unencoded data
Decode data using the gzip content encoding as described in RFC 1952
...
...
@@ -1030,11 +1034,16 @@ def gzip_decode(data):
f
=
BytesIO
(
data
)
gzf
=
gzip
.
GzipFile
(
mode
=
"rb"
,
fileobj
=
f
)
try
:
decoded
=
gzf
.
read
()
if
max_decode
<
0
:
# no limit
decoded
=
gzf
.
read
()
else
:
decoded
=
gzf
.
read
(
max_decode
+
1
)
except
IOError
:
raise
ValueError
(
"invalid data"
)
f
.
close
()
gzf
.
close
()
if
max_decode
>=
0
and
len
(
decoded
)
>
max_decode
:
raise
ValueError
(
"max gzipped payload length exceeded"
)
return
decoded
##
...
...
Misc/NEWS
View file @
4e9cefaf
...
...
@@ -16,6 +16,9 @@ Core and Builtins
Library
-------
- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
will return. This resolves CVE-2013-1753.
- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory. Patch by Jyrki
Pulliainen.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment