Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer

upon malformed POST request.
author: Charles-François Natali <neologix@free.fr> 2012-02-18 14:02:10 (GMT)
committer: Charles-François Natali <neologix@free.fr> 2012-02-18 14:02:10 (GMT)
commit: 3ccc918b4addd3c189c4214f5283fa9aae980f41 (patch)
tree: 07b9755d7ba012247adae0ae6751e4046336228c
parent: 93abdd1ab80b014a32a97342c263cf6d623d4ce6 (diff)
parent: cd96b4f1ff4dd3a97eedbcea8a837388c0cb8345 (diff)
download: cpython-3ccc918b4addd3c189c4214f5283fa9aae980f41.zip
cpython-3ccc918b4addd3c189c4214f5283fa9aae980f41.tar.gz
cpython-3ccc918b4addd3c189c4214f5283fa9aae980f41.tar.bz2
3 files changed, 15 insertions, 7 deletions
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
index e5601a5..afd8c51 100644
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -519,12 +519,7 @@ class BaseServerTestCase(unittest.TestCase):
 
     def tearDown(self):
         # wait on the server thread to terminate
-        self.evt.wait(4.0)
-        # XXX this code does not work, and in fact stop_serving doesn't exist.
-        if not self.evt.is_set():
-            self.evt.set()
-            stop_serving()
-            raise RuntimeError("timeout reached, test has failed")
+        self.evt.wait()
 
         # disable traceback reporting
         xmlrpc.server.SimpleXMLRPCServer._send_traceback_header = False
@@ -671,6 +666,13 @@ class SimpleServerTestCase(BaseServerTestCase):
         server = xmlrpclib.ServerProxy("http://%s:%d/RPC2" % (ADDR, PORT))
         self.assertEqual(server.add("a", "\xe9"), "a\xe9")
 
+    def test_partial_post(self):
+        # Check that a partial POST doesn't make the server loop: issue #14001.
+        conn = http.client.HTTPConnection(ADDR, PORT)
+        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
+        conn.close()
+
+
 class MultiPathServerTestCase(BaseServerTestCase):
     threadFunc = staticmethod(http_multi_server)
     request_count = 2
diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
index bf22aa9..fc3fa4b 100644
--- a/Lib/xmlrpc/server.py
+++ b/Lib/xmlrpc/server.py
@@ -476,7 +476,10 @@ class SimpleXMLRPCRequestHandler(BaseHTTPRequestHandler):
             L = []
             while size_remaining:
                 chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                 size_remaining -= len(L[-1])
             data = b''.join(L)
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 10862e4..1da9d8a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -466,6 +466,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in
+  SimpleXMLRPCServer upon malformed POST request.
+
 - Issue #13961: Move importlib over to using os.replace() for atomic renaming.
 
 - Do away with ambiguous level values (as suggested by PEP 328) in
author	Charles-François Natali <neologix@free.fr>	2012-02-18 14:02:10 (GMT)
committer	Charles-François Natali <neologix@free.fr>	2012-02-18 14:02:10 (GMT)
commit	3ccc918b4addd3c189c4214f5283fa9aae980f41 (patch)
tree	07b9755d7ba012247adae0ae6751e4046336228c
parent	93abdd1ab80b014a32a97342c263cf6d623d4ce6 (diff)
parent	cd96b4f1ff4dd3a97eedbcea8a837388c0cb8345 (diff)
download	cpython-3ccc918b4addd3c189c4214f5283fa9aae980f41.zip cpython-3ccc918b4addd3c189c4214f5283fa9aae980f41.tar.gz cpython-3ccc918b4addd3c189c4214f5283fa9aae980f41.tar.bz2