+36
-3
lines changedFilter options
+36
-3
lines changed Original file line number Diff line number Diff line change
@@ -776,7 +776,7 @@ def test_bad_gzip_request(self):
776 776
p.pow(6, 8)
777 777
p("close")()
778 778 779 -
def test_gsip_response(self):
779 +
def test_gzip_response(self):
780 780
t = self.Transport()
781 781
p = xmlrpclib.ServerProxy(URL, transport=t)
782 782
old = self.requestHandler.encode_threshold
@@ -790,6 +790,26 @@ def test_gsip_response(self):
790 790
self.requestHandler.encode_threshold = old
791 791
self.assertTrue(a>b)
792 792 793 + 794 +
class GzipUtilTestCase(unittest.TestCase):
795 + 796 +
def test_gzip_decode_limit(self):
797 +
max_gzip_decode = 20 * 1024 * 1024
798 +
data = b'\0' * max_gzip_decode
799 +
encoded = xmlrpclib.gzip_encode(data)
800 +
decoded = xmlrpclib.gzip_decode(encoded)
801 +
self.assertEqual(len(decoded), max_gzip_decode)
802 + 803 +
data = b'\0' * (max_gzip_decode + 1)
804 +
encoded = xmlrpclib.gzip_encode(data)
805 + 806 +
with self.assertRaisesRegexp(ValueError,
807 +
"max gzipped payload length exceeded"):
808 +
xmlrpclib.gzip_decode(encoded)
809 + 810 +
xmlrpclib.gzip_decode(encoded, max_decode=-1)
811 + 812 + 793 813
#Test special attributes of the ServerProxy object
794 814
class ServerProxyTestCase(unittest.TestCase):
795 815
def setUp(self):
@@ -990,6 +1010,7 @@ def test_main():
990 1010
try:
991 1011
import gzip
992 1012
xmlrpc_tests.append(GzipServerTestCase)
1013 +
xmlrpc_tests.append(GzipUtilTestCase)
993 1014
except ImportError:
994 1015
pass #gzip not supported in this build
995 1016
xmlrpc_tests.append(MultiPathServerTestCase)
@@ -49,6 +49,7 @@
49 49
# 2003-07-12 gp Correct marshalling of Faults
50 50
# 2003-10-31 mvl Add multicall support
51 51
# 2004-08-20 mvl Bump minimum supported Python version to 2.1
52 +
# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability
52 53
#
53 54
# Copyright (c) 1999-2002 by Secret Labs AB.
54 55
# Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1017,10 +1018,13 @@ def gzip_encode(data):
1017 1018
# in the HTTP header, as described in RFC 1952
1018 1019
#
1019 1020
# @param data The encoded data
1021 +
# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
1022 +
# values for unlimited decoding
1020 1023
# @return the unencoded data
1021 1024
# @raises ValueError if data is not correctly coded.
1025 +
# @raises ValueError if max gzipped payload length exceeded
1022 1026 1023 -
def gzip_decode(data):
1027 +
def gzip_decode(data, max_decode=20971520):
1024 1028
"""gzip encoded data -> unencoded data
1025 1029 1026 1030
Decode data using the gzip content encoding as described in RFC 1952
@@ -1030,11 +1034,16 @@ def gzip_decode(data):
1030 1034
f = BytesIO(data)
1031 1035
gzf = gzip.GzipFile(mode="rb", fileobj=f)
1032 1036
try:
1033 -
decoded = gzf.read()
1037 +
if max_decode < 0: # no limit
1038 +
decoded = gzf.read()
1039 +
else:
1040 +
decoded = gzf.read(max_decode + 1)
1034 1041
except IOError:
1035 1042
raise ValueError("invalid data")
1036 1043
f.close()
1037 1044
gzf.close()
1045 +
if max_decode >= 0 and len(decoded) > max_decode:
1046 +
raise ValueError("max gzipped payload length exceeded")
1038 1047
return decoded
1039 1048 1040 1049
##
@@ -16,6 +16,9 @@ Core and Builtins
16 16
Library
17 17
-------
18 18 19 +
- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
20 +
will return. This resolves CVE-2013-1753.
21 + 19 22
- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
20 23
prevent readline() calls from consuming too much memory. Patch by Jyrki
21 24
Pulliainen.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4