From 4e9cefaf86035f8014e09049328d197b6506532f Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Fri, 5 Dec 2014 20:15:15 -0500 Subject: add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043) --- Lib/test/test_xmlrpc.py | 23 ++++++++++++++++++++++- Lib/xmlrpc/client.py | 13 +++++++++++-- Misc/NEWS | 3 +++ 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py index 3814191..718cc17 100644 --- a/Lib/test/test_xmlrpc.py +++ b/Lib/test/test_xmlrpc.py @@ -776,7 +776,7 @@ class GzipServerTestCase(BaseServerTestCase): p.pow(6, 8) p("close")() - def test_gsip_response(self): + def test_gzip_response(self): t = self.Transport() p = xmlrpclib.ServerProxy(URL, transport=t) old = self.requestHandler.encode_threshold @@ -790,6 +790,26 @@ class GzipServerTestCase(BaseServerTestCase): self.requestHandler.encode_threshold = old self.assertTrue(a>b) + +class GzipUtilTestCase(unittest.TestCase): + + def test_gzip_decode_limit(self): + max_gzip_decode = 20 * 1024 * 1024 + data = b'\0' * max_gzip_decode + encoded = xmlrpclib.gzip_encode(data) + decoded = xmlrpclib.gzip_decode(encoded) + self.assertEqual(len(decoded), max_gzip_decode) + + data = b'\0' * (max_gzip_decode + 1) + encoded = xmlrpclib.gzip_encode(data) + + with self.assertRaisesRegexp(ValueError, + "max gzipped payload length exceeded"): + xmlrpclib.gzip_decode(encoded) + + xmlrpclib.gzip_decode(encoded, max_decode=-1) + + #Test special attributes of the ServerProxy object class ServerProxyTestCase(unittest.TestCase): def setUp(self): @@ -990,6 +1010,7 @@ def test_main(): try: import gzip xmlrpc_tests.append(GzipServerTestCase) + xmlrpc_tests.append(GzipUtilTestCase) except ImportError: pass #gzip not supported in this build xmlrpc_tests.append(MultiPathServerTestCase) diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py index ec8d8e9..c03a5f0 100644 --- a/Lib/xmlrpc/client.py +++ b/Lib/xmlrpc/client.py @@ -49,6 +49,7 @@ # 2003-07-12 gp Correct marshalling of Faults # 2003-10-31 mvl Add multicall support # 2004-08-20 mvl Bump minimum supported Python version to 2.1 +# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability # # Copyright (c) 1999-2002 by Secret Labs AB. # Copyright (c) 1999-2002 by Fredrik Lundh. @@ -1017,10 +1018,13 @@ def gzip_encode(data): # in the HTTP header, as described in RFC 1952 # # @param data The encoded data +# @keyparam max_decode Maximum bytes to decode (20MB default), use negative +# values for unlimited decoding # @return the unencoded data # @raises ValueError if data is not correctly coded. +# @raises ValueError if max gzipped payload length exceeded -def gzip_decode(data): +def gzip_decode(data, max_decode=20971520): """gzip encoded data -> unencoded data Decode data using the gzip content encoding as described in RFC 1952 @@ -1030,11 +1034,16 @@ def gzip_decode(data): f = BytesIO(data) gzf = gzip.GzipFile(mode="rb", fileobj=f) try: - decoded = gzf.read() + if max_decode < 0: # no limit + decoded = gzf.read() + else: + decoded = gzf.read(max_decode + 1) except IOError: raise ValueError("invalid data") f.close() gzf.close() + if max_decode >= 0 and len(decoded) > max_decode: + raise ValueError("max gzipped payload length exceeded") return decoded ## diff --git a/Misc/NEWS b/Misc/NEWS index fc53c0f..3cff3cd 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -16,6 +16,9 @@ Core and Builtins Library ------- +- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode + will return. This resolves CVE-2013-1753. + - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen. -- cgit v0.12