add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)

8a753256 · Benjamin Peterson · 0da1af0f · 8a753256 · 8a753256 · 8a753256
Commit 8a753256 authored Dec 05, 2014 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 3 deletions

Lib/test/test_xmlrpc.py Lib/test/test_xmlrpc.py +22 -1

Lib/xmlrpc/client.py Lib/xmlrpc/client.py +11 -2

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -776,7 +776,7 @@ class GzipServerTestCase(BaseServerTestCase):
            p.pow(6, 8)
        p("close")()
-    def test_gsip_response(self):
+    def test_gzip_response(self):
        t = self.Transport()
        p = xmlrpclib.ServerProxy(URL, transport=t)
        old = self.requestHandler.encode_threshold
@@ -790,6 +790,26 @@ class GzipServerTestCase(BaseServerTestCase):
        self.requestHandler.encode_threshold = old
        self.assertTrue(a>b)
+class GzipUtilTestCase(unittest.TestCase):
+    def test_gzip_decode_limit(self):
+        max_gzip_decode = 20 * 1024 * 1024
+        data = b'\0' * max_gzip_decode
+        encoded = xmlrpclib.gzip_encode(data)
+        decoded = xmlrpclib.gzip_decode(encoded)
+        self.assertEqual(len(decoded), max_gzip_decode)
+        data = b'\0' * (max_gzip_decode + 1)
+        encoded = xmlrpclib.gzip_encode(data)
+        with self.assertRaisesRegexp(ValueError,
+                                     "max gzipped payload length exceeded"):
+            xmlrpclib.gzip_decode(encoded)
+        xmlrpclib.gzip_decode(encoded, max_decode=-1)
 #Test special attributes of the ServerProxy object
 class ServerProxyTestCase(unittest.TestCase):
    def setUp(self):
@@ -990,6 +1010,7 @@ def test_main():
    try:
        import gzip
        xmlrpc_tests.append(GzipServerTestCase)
+        xmlrpc_tests.append(GzipUtilTestCase)
    except ImportError:
        pass #gzip not supported in this build
    xmlrpc_tests.append(MultiPathServerTestCase)

--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@@ -49,6 +49,7 @@
 # 2003-07-12 gp  Correct marshalling of Faults
 # 2003-10-31 mvl Add multicall support
 # 2004-08-20 mvl Bump minimum supported Python version to 2.1
+# 2014-12-02 ch/doko  Add workaround for gzip bomb vulnerability
 #
 # Copyright (c) 1999-2002 by Secret Labs AB.
 # Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1017,10 +1018,13 @@ def gzip_encode(data):
 # in the HTTP header, as described in RFC 1952
 #
 # @param data The encoded data
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
+#    values for unlimited decoding
 # @return the unencoded data
 # @raises ValueError if data is not correctly coded.
+# @raises ValueError if max gzipped payload length exceeded
-def gzip_decode(data):
+def gzip_decode(data, max_decode=20971520):
    """gzip encoded data -> unencoded data
    Decode data using the gzip content encoding as described in RFC 1952
@@ -1030,11 +1034,16 @@ def gzip_decode(data):
    f = BytesIO(data)
    gzf = gzip.GzipFile(mode="rb", fileobj=f)
    try:
-        decoded = gzf.read()
+        if max_decode < 0: # no limit
+            decoded = gzf.read()
+        else:
+            decoded = gzf.read(max_decode + 1)
    except IOError:
        raise ValueError("invalid data")
    f.close()
    gzf.close()
+    if max_decode >= 0 and len(decoded) > max_decode:
+        raise ValueError("max gzipped payload length exceeded")
    return decoded
 ##

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,9 @@ Core and Builtins
 Library
 -------
+- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
+  will return. This resolves CVE-2013-1753.
 - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
  prevent readline() calls from consuming too much memory.  Patch by Jyrki
  Pulliainen.