+32
-3
lines changedFilter options
+32
-3
lines changed Original file line number Diff line number Diff line change
@@ -737,7 +737,7 @@ def test_bad_gzip_request(self):
737 737
with cm:
738 738
p.pow(6, 8)
739 739 740 -
def test_gsip_response(self):
740 +
def test_gzip_response(self):
741 741
t = self.Transport()
742 742
p = xmlrpclib.ServerProxy(URL, transport=t)
743 743
old = self.requestHandler.encode_threshold
@@ -750,6 +750,23 @@ def test_gsip_response(self):
750 750
self.requestHandler.encode_threshold = old
751 751
self.assertTrue(a>b)
752 752 753 +
def test_gzip_decode_limit(self):
754 +
max_gzip_decode = 20 * 1024 * 1024
755 +
data = '\0' * max_gzip_decode
756 +
encoded = xmlrpclib.gzip_encode(data)
757 +
decoded = xmlrpclib.gzip_decode(encoded)
758 +
self.assertEqual(len(decoded), max_gzip_decode)
759 + 760 +
data = '\0' * (max_gzip_decode + 1)
761 +
encoded = xmlrpclib.gzip_encode(data)
762 + 763 +
with self.assertRaisesRegexp(ValueError,
764 +
"max gzipped payload length exceeded"):
765 +
xmlrpclib.gzip_decode(encoded)
766 + 767 +
xmlrpclib.gzip_decode(encoded, max_decode=-1)
768 + 769 + 753 770
#Test special attributes of the ServerProxy object
754 771
class ServerProxyTestCase(unittest.TestCase):
755 772
def setUp(self):
@@ -49,6 +49,7 @@
49 49
# 2003-07-12 gp Correct marshalling of Faults
50 50
# 2003-10-31 mvl Add multicall support
51 51
# 2004-08-20 mvl Bump minimum supported Python version to 2.1
52 +
# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability
52 53
#
53 54
# Copyright (c) 1999-2002 by Secret Labs AB.
54 55
# Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1165,10 +1166,13 @@ def gzip_encode(data):
1165 1166
# in the HTTP header, as described in RFC 1952
1166 1167
#
1167 1168
# @param data The encoded data
1169 +
# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
1170 +
# values for unlimited decoding
1168 1171
# @return the unencoded data
1169 1172
# @raises ValueError if data is not correctly coded.
1173 +
# @raises ValueError if max gzipped payload length exceeded
1170 1174 1171 -
def gzip_decode(data):
1175 +
def gzip_decode(data, max_decode=20971520):
1172 1176
"""gzip encoded data -> unencoded data
1173 1177 1174 1178
Decode data using the gzip content encoding as described in RFC 1952
@@ -1178,11 +1182,16 @@ def gzip_decode(data):
1178 1182
f = StringIO.StringIO(data)
1179 1183
gzf = gzip.GzipFile(mode="rb", fileobj=f)
1180 1184
try:
1181 -
decoded = gzf.read()
1185 +
if max_decode < 0: # no limit
1186 +
decoded = gzf.read()
1187 +
else:
1188 +
decoded = gzf.read(max_decode + 1)
1182 1189
except IOError:
1183 1190
raise ValueError("invalid data")
1184 1191
f.close()
1185 1192
gzf.close()
1193 +
if max_decode >= 0 and len(decoded) > max_decode:
1194 +
raise ValueError("max gzipped payload length exceeded")
1186 1195
return decoded
1187 1196 1188 1197
##
@@ -10,6 +10,9 @@ What's New in Python 2.7.9?
10 10
Library
11 11
-------
12 12 13 +
- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
14 +
will return. This resolves CVE-2013-1753.
15 + 13 16
- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by limiting
14 17
the call to readline(). Original patch by Christian Heimes.
15 18 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4