|
 |
21eb11 |
|
|
|
21eb11 |
# HG changeset patch
|
|
|
21eb11 |
# User Benjamin Peterson <benjamin@python.org>
|
|
|
21eb11 |
# Date 1417828515 18000
|
|
|
21eb11 |
# Node ID d50096708b2d701937e78f525446d729fc28db88
|
|
|
21eb11 |
# Parent 923aac88a3cc76a95d5a04d9d3ece245147a8064
|
|
|
21eb11 |
add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)
|
|
|
21eb11 |
|
|
|
21eb11 |
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
|
|
|
21eb11 |
--- a/Lib/test/test_xmlrpc.py
|
|
|
21eb11 |
+++ b/Lib/test/test_xmlrpc.py
|
|
|
21eb11 |
@@ -737,7 +737,7 @@ class GzipServerTestCase(BaseServerTestC
|
|
|
21eb11 |
with cm:
|
|
|
21eb11 |
p.pow(6, 8)
|
|
|
21eb11 |
|
|
|
21eb11 |
- def test_gsip_response(self):
|
|
|
21eb11 |
+ def test_gzip_response(self):
|
|
|
21eb11 |
t = self.Transport()
|
|
|
21eb11 |
p = xmlrpclib.ServerProxy(URL, transport=t)
|
|
|
21eb11 |
old = self.requestHandler.encode_threshold
|
|
|
21eb11 |
@@ -750,6 +750,23 @@ class GzipServerTestCase(BaseServerTestC
|
|
|
21eb11 |
self.requestHandler.encode_threshold = old
|
|
|
21eb11 |
self.assertTrue(a>b)
|
|
|
21eb11 |
|
|
|
21eb11 |
+ def test_gzip_decode_limit(self):
|
|
|
21eb11 |
+ max_gzip_decode = 20 * 1024 * 1024
|
|
|
21eb11 |
+ data = '\0' * max_gzip_decode
|
|
|
21eb11 |
+ encoded = xmlrpclib.gzip_encode(data)
|
|
|
21eb11 |
+ decoded = xmlrpclib.gzip_decode(encoded)
|
|
|
21eb11 |
+ self.assertEqual(len(decoded), max_gzip_decode)
|
|
|
21eb11 |
+
|
|
|
21eb11 |
+ data = '\0' * (max_gzip_decode + 1)
|
|
|
21eb11 |
+ encoded = xmlrpclib.gzip_encode(data)
|
|
|
21eb11 |
+
|
|
|
21eb11 |
+ with self.assertRaisesRegexp(ValueError,
|
|
|
21eb11 |
+ "max gzipped payload length exceeded"):
|
|
|
21eb11 |
+ xmlrpclib.gzip_decode(encoded)
|
|
|
21eb11 |
+
|
|
|
21eb11 |
+ xmlrpclib.gzip_decode(encoded, max_decode=-1)
|
|
|
21eb11 |
+
|
|
|
21eb11 |
+
|
|
|
21eb11 |
#Test special attributes of the ServerProxy object
|
|
|
21eb11 |
class ServerProxyTestCase(unittest.TestCase):
|
|
|
21eb11 |
def setUp(self):
|
|
|
21eb11 |
diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py
|
|
|
21eb11 |
--- a/Lib/xmlrpclib.py
|
|
|
21eb11 |
+++ b/Lib/xmlrpclib.py
|
|
|
21eb11 |
@@ -49,6 +49,7 @@
|
|
|
21eb11 |
# 2003-07-12 gp Correct marshalling of Faults
|
|
|
21eb11 |
# 2003-10-31 mvl Add multicall support
|
|
|
21eb11 |
# 2004-08-20 mvl Bump minimum supported Python version to 2.1
|
|
|
21eb11 |
+# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability
|
|
|
21eb11 |
#
|
|
|
21eb11 |
# Copyright (c) 1999-2002 by Secret Labs AB.
|
|
|
21eb11 |
# Copyright (c) 1999-2002 by Fredrik Lundh.
|
|
|
21eb11 |
@@ -1165,10 +1166,13 @@ def gzip_encode(data):
|
|
|
21eb11 |
# in the HTTP header, as described in RFC 1952
|
|
|
21eb11 |
#
|
|
|
21eb11 |
# @param data The encoded data
|
|
|
21eb11 |
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
|
|
|
21eb11 |
+# values for unlimited decoding
|
|
|
21eb11 |
# @return the unencoded data
|
|
|
21eb11 |
# @raises ValueError if data is not correctly coded.
|
|
|
21eb11 |
+# @raises ValueError if max gzipped payload length exceeded
|
|
|
21eb11 |
|
|
|
21eb11 |
-def gzip_decode(data):
|
|
|
21eb11 |
+def gzip_decode(data, max_decode=20971520):
|
|
|
21eb11 |
"""gzip encoded data -> unencoded data
|
|
|
21eb11 |
|
|
|
21eb11 |
Decode data using the gzip content encoding as described in RFC 1952
|
|
|
21eb11 |
@@ -1178,11 +1182,16 @@ def gzip_decode(data):
|
|
|
21eb11 |
f = StringIO.StringIO(data)
|
|
|
21eb11 |
gzf = gzip.GzipFile(mode="rb", fileobj=f)
|
|
|
21eb11 |
try:
|
|
|
21eb11 |
- decoded = gzf.read()
|
|
|
21eb11 |
+ if max_decode < 0: # no limit
|
|
|
21eb11 |
+ decoded = gzf.read()
|
|
|
21eb11 |
+ else:
|
|
|
21eb11 |
+ decoded = gzf.read(max_decode + 1)
|
|
|
21eb11 |
except IOError:
|
|
|
21eb11 |
raise ValueError("invalid data")
|
|
|
21eb11 |
f.close()
|
|
|
21eb11 |
gzf.close()
|
|
|
21eb11 |
+ if max_decode >= 0 and len(decoded) > max_decode:
|
|
|
21eb11 |
+ raise ValueError("max gzipped payload length exceeded")
|
|
|
21eb11 |
return decoded
|
|
|
21eb11 |
|
|
|
21eb11 |
##
|