Blame SOURCES/00199-CVE-2013-1753.patch

f63228
f63228
# HG changeset patch
f63228
# User Benjamin Peterson <benjamin@python.org>
f63228
# Date 1417828515 18000
f63228
# Node ID d50096708b2d701937e78f525446d729fc28db88
f63228
# Parent  923aac88a3cc76a95d5a04d9d3ece245147a8064
f63228
add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)
f63228
f63228
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
f63228
--- a/Lib/test/test_xmlrpc.py
f63228
+++ b/Lib/test/test_xmlrpc.py
f63228
@@ -737,7 +737,7 @@ class GzipServerTestCase(BaseServerTestC
f63228
         with cm:
f63228
             p.pow(6, 8)
f63228
 
f63228
-    def test_gsip_response(self):
f63228
+    def test_gzip_response(self):
f63228
         t = self.Transport()
f63228
         p = xmlrpclib.ServerProxy(URL, transport=t)
f63228
         old = self.requestHandler.encode_threshold
f63228
@@ -750,6 +750,23 @@ class GzipServerTestCase(BaseServerTestC
f63228
         self.requestHandler.encode_threshold = old
f63228
         self.assertTrue(a>b)
f63228
 
f63228
+    def test_gzip_decode_limit(self):
f63228
+        max_gzip_decode = 20 * 1024 * 1024
f63228
+        data = '\0' * max_gzip_decode
f63228
+        encoded = xmlrpclib.gzip_encode(data)
f63228
+        decoded = xmlrpclib.gzip_decode(encoded)
f63228
+        self.assertEqual(len(decoded), max_gzip_decode)
f63228
+
f63228
+        data = '\0' * (max_gzip_decode + 1)
f63228
+        encoded = xmlrpclib.gzip_encode(data)
f63228
+
f63228
+        with self.assertRaisesRegexp(ValueError,
f63228
+                                     "max gzipped payload length exceeded"):
f63228
+            xmlrpclib.gzip_decode(encoded)
f63228
+
f63228
+        xmlrpclib.gzip_decode(encoded, max_decode=-1)
f63228
+
f63228
+
f63228
 #Test special attributes of the ServerProxy object
f63228
 class ServerProxyTestCase(unittest.TestCase):
f63228
     def setUp(self):
f63228
diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py
f63228
--- a/Lib/xmlrpclib.py
f63228
+++ b/Lib/xmlrpclib.py
f63228
@@ -49,6 +49,7 @@
f63228
 # 2003-07-12 gp  Correct marshalling of Faults
f63228
 # 2003-10-31 mvl Add multicall support
f63228
 # 2004-08-20 mvl Bump minimum supported Python version to 2.1
f63228
+# 2014-12-02 ch/doko  Add workaround for gzip bomb vulnerability
f63228
 #
f63228
 # Copyright (c) 1999-2002 by Secret Labs AB.
f63228
 # Copyright (c) 1999-2002 by Fredrik Lundh.
f63228
@@ -1165,10 +1166,13 @@ def gzip_encode(data):
f63228
 # in the HTTP header, as described in RFC 1952
f63228
 #
f63228
 # @param data The encoded data
f63228
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
f63228
+#    values for unlimited decoding
f63228
 # @return the unencoded data
f63228
 # @raises ValueError if data is not correctly coded.
f63228
+# @raises ValueError if max gzipped payload length exceeded
f63228
 
f63228
-def gzip_decode(data):
f63228
+def gzip_decode(data, max_decode=20971520):
f63228
     """gzip encoded data -> unencoded data
f63228
 
f63228
     Decode data using the gzip content encoding as described in RFC 1952
f63228
@@ -1178,11 +1182,16 @@ def gzip_decode(data):
f63228
     f = StringIO.StringIO(data)
f63228
     gzf = gzip.GzipFile(mode="rb", fileobj=f)
f63228
     try:
f63228
-        decoded = gzf.read()
f63228
+        if max_decode < 0: # no limit
f63228
+            decoded = gzf.read()
f63228
+        else:
f63228
+            decoded = gzf.read(max_decode + 1)
f63228
     except IOError:
f63228
         raise ValueError("invalid data")
f63228
     f.close()
f63228
     gzf.close()
f63228
+    if max_decode >= 0 and len(decoded) > max_decode:
f63228
+        raise ValueError("max gzipped payload length exceeded")
f63228
     return decoded
f63228
 
f63228
 ##