Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer

upon malformed POST request.

Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
upon malformed POST request.
66f3cc6f · Charles-François Natali · d358e055 · 66f3cc6f · 66f3cc6f
Commit 66f3cc6f authored Feb 18, 2012 by Charles-François Natali
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

Lib/SimpleXMLRPCServer.py Lib/SimpleXMLRPCServer.py +4 -1

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/SimpleXMLRPCServer.py
+++ b/Lib/SimpleXMLRPCServer.py
@@ -459,7 +459,10 @@ class SimpleXMLRPCRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
            L = []
            while size_remaining:
                chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                size_remaining -= len(L[-1])
            data = ''.join(L)


--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------

+- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in
+  SimpleXMLRPCServer upon malformed POST request.
+
 - Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
  IV attack countermeasure.