# HG changeset patch

# User Benjamin Peterson <benjamin@python.org>

# Date 1417828515 18000

# Node ID d50096708b2d701937e78f525446d729fc28db88

# Parent  923aac88a3cc76a95d5a04d9d3ece245147a8064

add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)

diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py

--- a/Lib/test/test_xmlrpc.py

+++ b/Lib/test/test_xmlrpc.py

@@ -737,7 +737,7 @@ class GzipServerTestCase(BaseServerTestC

         with cm:

             p.pow(6, 8)

-    def test_gsip_response(self):

+    def test_gzip_response(self):

         t = self.Transport()

         p = xmlrpclib.ServerProxy(URL, transport=t)

         old = self.requestHandler.encode_threshold

@@ -750,6 +750,23 @@ class GzipServerTestCase(BaseServerTestC

         self.requestHandler.encode_threshold = old

         self.assertTrue(a>b)

+    def test_gzip_decode_limit(self):

+        max_gzip_decode = 20 * 1024 * 1024

+        data = '\0' * max_gzip_decode

+        encoded = xmlrpclib.gzip_encode(data)

+        decoded = xmlrpclib.gzip_decode(encoded)

+        self.assertEqual(len(decoded), max_gzip_decode)

+

+        data = '\0' * (max_gzip_decode + 1)

+        encoded = xmlrpclib.gzip_encode(data)

+

+        with self.assertRaisesRegexp(ValueError,

+                                     "max gzipped payload length exceeded"):

+            xmlrpclib.gzip_decode(encoded)

+

+        xmlrpclib.gzip_decode(encoded, max_decode=-1)

+

+

 #Test special attributes of the ServerProxy object

 class ServerProxyTestCase(unittest.TestCase):

     def setUp(self):

diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py

--- a/Lib/xmlrpclib.py

+++ b/Lib/xmlrpclib.py

@@ -49,6 +49,7 @@

 # 2003-07-12 gp  Correct marshalling of Faults

 # 2003-10-31 mvl Add multicall support

 # 2004-08-20 mvl Bump minimum supported Python version to 2.1

+# 2014-12-02 ch/doko  Add workaround for gzip bomb vulnerability

 #

 # Copyright (c) 1999-2002 by Secret Labs AB.

 # Copyright (c) 1999-2002 by Fredrik Lundh.

@@ -1165,10 +1166,13 @@ def gzip_encode(data):

 # in the HTTP header, as described in RFC 1952

 #

 # @param data The encoded data

+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative

+#    values for unlimited decoding

 # @return the unencoded data

 # @raises ValueError if data is not correctly coded.

+# @raises ValueError if max gzipped payload length exceeded

-def gzip_decode(data):

+def gzip_decode(data, max_decode=20971520):

     """gzip encoded data -> unencoded data

     Decode data using the gzip content encoding as described in RFC 1952

@@ -1178,11 +1182,16 @@ def gzip_decode(data):

     f = StringIO.StringIO(data)

     gzf = gzip.GzipFile(mode="rb", fileobj=f)

     try:

-        decoded = gzf.read()

+        if max_decode < 0: # no limit

+            decoded = gzf.read()

+        else:

+            decoded = gzf.read(max_decode + 1)

     except IOError:

         raise ValueError("invalid data")

     f.close()

     gzf.close()

+    if max_decode >= 0 and len(decoded) > max_decode:

+        raise ValueError("max gzipped payload length exceeded")

     return decoded

 ##