summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2014-12-06 01:30:54 (GMT)
committerBenjamin Peterson <benjamin@python.org>2014-12-06 01:30:54 (GMT)
commit81b7374fbe5f77567642d5aa42d4c1e6eee610b2 (patch)
tree36995a727ad750225642d690508d2db92df439c6
parente71abcc7bb0ab2d11af25d6a65db73701b58a91c (diff)
parent4e9cefaf86035f8014e09049328d197b6506532f (diff)
downloadcpython-81b7374fbe5f77567642d5aa42d4c1e6eee610b2.zip
cpython-81b7374fbe5f77567642d5aa42d4c1e6eee610b2.tar.gz
cpython-81b7374fbe5f77567642d5aa42d4c1e6eee610b2.tar.bz2
merge 3.2 (#16043)
-rw-r--r--Lib/test/test_xmlrpc.py23
-rw-r--r--Lib/xmlrpc/client.py13
-rw-r--r--Misc/NEWS3
3 files changed, 36 insertions, 3 deletions
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
index cc52259..fe2bf03 100644
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -845,7 +845,7 @@ class GzipServerTestCase(BaseServerTestCase):
p.pow(6, 8)
p("close")()
- def test_gsip_response(self):
+ def test_gzip_response(self):
t = self.Transport()
p = xmlrpclib.ServerProxy(URL, transport=t)
old = self.requestHandler.encode_threshold
@@ -859,6 +859,26 @@ class GzipServerTestCase(BaseServerTestCase):
self.requestHandler.encode_threshold = old
self.assertTrue(a>b)
+
+class GzipUtilTestCase(unittest.TestCase):
+
+ def test_gzip_decode_limit(self):
+ max_gzip_decode = 20 * 1024 * 1024
+ data = b'\0' * max_gzip_decode
+ encoded = xmlrpclib.gzip_encode(data)
+ decoded = xmlrpclib.gzip_decode(encoded)
+ self.assertEqual(len(decoded), max_gzip_decode)
+
+ data = b'\0' * (max_gzip_decode + 1)
+ encoded = xmlrpclib.gzip_encode(data)
+
+ with self.assertRaisesRegexp(ValueError,
+ "max gzipped payload length exceeded"):
+ xmlrpclib.gzip_decode(encoded)
+
+ xmlrpclib.gzip_decode(encoded, max_decode=-1)
+
+
#Test special attributes of the ServerProxy object
class ServerProxyTestCase(unittest.TestCase):
def setUp(self):
@@ -1093,6 +1113,7 @@ def test_main():
try:
import gzip
xmlrpc_tests.append(GzipServerTestCase)
+ xmlrpc_tests.append(GzipUtilTestCase)
except ImportError:
pass #gzip not supported in this build
xmlrpc_tests.append(MultiPathServerTestCase)
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py
index 461c300..ca2ac9f 100644
--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@@ -49,6 +49,7 @@
# 2003-07-12 gp Correct marshalling of Faults
# 2003-10-31 mvl Add multicall support
# 2004-08-20 mvl Bump minimum supported Python version to 2.1
+# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability
#
# Copyright (c) 1999-2002 by Secret Labs AB.
# Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1031,10 +1032,13 @@ def gzip_encode(data):
# in the HTTP header, as described in RFC 1952
#
# @param data The encoded data
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
+# values for unlimited decoding
# @return the unencoded data
# @raises ValueError if data is not correctly coded.
+# @raises ValueError if max gzipped payload length exceeded
-def gzip_decode(data):
+def gzip_decode(data, max_decode=20971520):
"""gzip encoded data -> unencoded data
Decode data using the gzip content encoding as described in RFC 1952
@@ -1044,11 +1048,16 @@ def gzip_decode(data):
f = BytesIO(data)
gzf = gzip.GzipFile(mode="rb", fileobj=f)
try:
- decoded = gzf.read()
+ if max_decode < 0: # no limit
+ decoded = gzf.read()
+ else:
+ decoded = gzf.read(max_decode + 1)
except IOError:
raise ValueError("invalid data")
f.close()
gzf.close()
+ if max_decode >= 0 and len(decoded) > max_decode:
+ raise ValueError("max gzipped payload length exceeded")
return decoded
##
diff --git a/Misc/NEWS b/Misc/NEWS
index 7676c90..c66da32 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -26,6 +26,9 @@ Core and Builtins
Library
-------
+- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
+ will return. This resolves CVE-2013-1753.
+
- Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
weakrefs.