diff options
| author | Charles-François Natali <neologix@free.fr> | 2012-02-18 13:53:41 (GMT) |
|---|---|---|
| committer | Charles-François Natali <neologix@free.fr> | 2012-02-18 13:53:41 (GMT) |
| commit | cd96b4f1ff4dd3a97eedbcea8a837388c0cb8345 (patch) | |
| tree | 270c805de948cee78b13fed5776abb9e0c0c4ad0 | |
| parent | ead1de2f0320fa80f717891fd3ae465172fcd96a (diff) | |
| parent | ec1712a1662282c909b4cd4cc0c7486646bc9246 (diff) | |
| download | cpython-cd96b4f1ff4dd3a97eedbcea8a837388c0cb8345.zip cpython-cd96b4f1ff4dd3a97eedbcea8a837388c0cb8345.tar.gz cpython-cd96b4f1ff4dd3a97eedbcea8a837388c0cb8345.tar.bz2 | |
Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
upon malformed POST request.
| -rw-r--r-- | Lib/test/test_xmlrpc.py | 14 | ||||
| -rw-r--r-- | Lib/xmlrpc/server.py | 5 | ||||
| -rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 15 insertions, 7 deletions
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py index e97420b..3814191 100644 --- a/Lib/test/test_xmlrpc.py +++ b/Lib/test/test_xmlrpc.py @@ -474,12 +474,7 @@ class BaseServerTestCase(unittest.TestCase): def tearDown(self): # wait on the server thread to terminate - self.evt.wait(4.0) - # XXX this code does not work, and in fact stop_serving doesn't exist. - if not self.evt.is_set(): - self.evt.set() - stop_serving() - raise RuntimeError("timeout reached, test has failed") + self.evt.wait() # disable traceback reporting xmlrpc.server.SimpleXMLRPCServer._send_traceback_header = False @@ -626,6 +621,13 @@ class SimpleServerTestCase(BaseServerTestCase): server = xmlrpclib.ServerProxy("http://%s:%d/RPC2" % (ADDR, PORT)) self.assertEqual(server.add("a", "\xe9"), "a\xe9") + def test_partial_post(self): + # Check that a partial POST doesn't make the server loop: issue #14001. + conn = http.client.HTTPConnection(ADDR, PORT) + conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye') + conn.close() + + class MultiPathServerTestCase(BaseServerTestCase): threadFunc = staticmethod(http_multi_server) request_count = 2 diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py index 72f3bfc..d7ed3f3 100644 --- a/Lib/xmlrpc/server.py +++ b/Lib/xmlrpc/server.py @@ -474,7 +474,10 @@ class SimpleXMLRPCRequestHandler(BaseHTTPRequestHandler): L = [] while size_remaining: chunk_size = min(size_remaining, max_chunk_size) - L.append(self.rfile.read(chunk_size)) + chunk = self.rfile.read(chunk_size) + if not chunk: + break + L.append(chunk) size_remaining -= len(L[-1]) data = b''.join(L) @@ -116,6 +116,9 @@ Core and Builtins Library ------- +- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in + SimpleXMLRPCServer upon malformed POST request. + - Issue #2489: pty.spawn could consume 100% cpu when it encountered an EOF. - Issue #13014: Fix a possible reference leak in SSLSocket.getpeercert(). |