diff options
author | Benjamin Peterson <benjamin@python.org> | 2014-12-06 01:15:15 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2014-12-06 01:15:15 (GMT) |
commit | 4e9cefaf86035f8014e09049328d197b6506532f (patch) | |
tree | ddbd8877138fec984a96531571b870f996ed37d0 /Lib/xmlrpc/client.py | |
parent | 258f3f0dc23c7721c7a9314d9aa47fa3504b3c52 (diff) | |
download | cpython-4e9cefaf86035f8014e09049328d197b6506532f.zip cpython-4e9cefaf86035f8014e09049328d197b6506532f.tar.gz cpython-4e9cefaf86035f8014e09049328d197b6506532f.tar.bz2 |
add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)
Diffstat (limited to 'Lib/xmlrpc/client.py')
-rw-r--r-- | Lib/xmlrpc/client.py | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py index ec8d8e9..c03a5f0 100644 --- a/Lib/xmlrpc/client.py +++ b/Lib/xmlrpc/client.py @@ -49,6 +49,7 @@ # 2003-07-12 gp Correct marshalling of Faults # 2003-10-31 mvl Add multicall support # 2004-08-20 mvl Bump minimum supported Python version to 2.1 +# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability # # Copyright (c) 1999-2002 by Secret Labs AB. # Copyright (c) 1999-2002 by Fredrik Lundh. @@ -1017,10 +1018,13 @@ def gzip_encode(data): # in the HTTP header, as described in RFC 1952 # # @param data The encoded data +# @keyparam max_decode Maximum bytes to decode (20MB default), use negative +# values for unlimited decoding # @return the unencoded data # @raises ValueError if data is not correctly coded. +# @raises ValueError if max gzipped payload length exceeded -def gzip_decode(data): +def gzip_decode(data, max_decode=20971520): """gzip encoded data -> unencoded data Decode data using the gzip content encoding as described in RFC 1952 @@ -1030,11 +1034,16 @@ def gzip_decode(data): f = BytesIO(data) gzf = gzip.GzipFile(mode="rb", fileobj=f) try: - decoded = gzf.read() + if max_decode < 0: # no limit + decoded = gzf.read() + else: + decoded = gzf.read(max_decode + 1) except IOError: raise ValueError("invalid data") f.close() gzf.close() + if max_decode >= 0 and len(decoded) > max_decode: + raise ValueError("max gzipped payload length exceeded") return decoded ## |