diff -r 66a261969c57 Lib/test/test_xmlrpc.py
--- a/Lib/test/test_xmlrpc.py	Mon Dec 01 16:59:02 2014 -0500
+++ b/Lib/test/test_xmlrpc.py	Tue Dec 02 13:37:06 2014 +0100
@@ -737,7 +737,7 @@
 with cm:
 p.pow(6, 8)
 
- def test_gsip_response(self):
+ def test_gzip_response(self):
 t = self.Transport()
 p = xmlrpclib.ServerProxy(URL, transport=t)
 old = self.requestHandler.encode_threshold
@@ -750,6 +750,23 @@
 self.requestHandler.encode_threshold = old
 self.assertTrue(a>b)
 
+ def test_gzip_decode_limit(self):
+ max_gzip_decode = 20 * 1024 * 1024
+ data = '0円' * max_gzip_decode
+ encoded = xmlrpclib.gzip_encode(data)
+ decoded = xmlrpclib.gzip_decode(encoded)
+ self.assertEqual(len(decoded), max_gzip_decode)
+
+ data = '0円' * (max_gzip_decode + 1)
+ encoded = xmlrpclib.gzip_encode(data)
+
+ with self.assertRaisesRegexp(ValueError,
+ "max gzipped payload length exceeded"):
+ xmlrpclib.gzip_decode(encoded)
+
+ xmlrpclib.gzip_decode(encoded, max_decode=-1)
+
+
 #Test special attributes of the ServerProxy object
 class ServerProxyTestCase(unittest.TestCase):
 def setUp(self):
diff -r 66a261969c57 Lib/xmlrpclib.py
--- a/Lib/xmlrpclib.py	Mon Dec 01 16:59:02 2014 -0500
+++ b/Lib/xmlrpclib.py	Tue Dec 02 13:37:06 2014 +0100
@@ -49,6 +49,7 @@
 # 2003年07月12日 gp Correct marshalling of Faults
 # 2003年10月31日 mvl Add multicall support
 # 2004年08月20日 mvl Bump minimum supported Python version to 2.1
+# 2014年12月02日 ch/doko Add workaround for gzip bomb vulnerability
 #
 # Copyright (c) 1999-2002 by Secret Labs AB.
 # Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1165,10 +1166,12 @@
 # in the HTTP header, as described in RFC 1952
 #
 # @param data The encoded data
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
+# values for unlimited decoding
 # @return the unencoded data
 # @raises ValueError if data is not correctly coded.
 
-def gzip_decode(data):
+def gzip_decode(data, max_decode=20971520):
 """gzip encoded data -> unencoded data
 
 Decode data using the gzip content encoding as described in RFC 1952
@@ -1178,11 +1181,16 @@
 f = StringIO.StringIO(data)
 gzf = gzip.GzipFile(mode="rb", fileobj=f)
 try:
- decoded = gzf.read()
+ if max_decode < 0: # no limit + decoded = gzf.read() + else: + decoded = gzf.read(max_decode + 1) except IOError: raise ValueError("invalid data") f.close() gzf.close() + if max_decode>= 0 and len(decoded)> max_decode:
+ raise ValueError("max gzipped payload length exceeded")
 return decoded
 
 ##
</div><div class="naked_ctrl">
<form action="/index.cgi/contrast" method="get" name="gate">
<p><a href="http://altstyle.alfasado.net">AltStyle</a> によって変換されたページ <a href="https://bugs.python.org/file37343/xmlrpc_gzip_27_parameter.patch">(-&gt;オリジナル)</a>
/ <label>アドレス: <input type="text" name="naked_post_url" value="https://bugs.python.org/file37343/xmlrpc_gzip_27_parameter.patch" size="22" /></label> <label>モード: <select name="naked_post_mode">
<option value="default">デフォルト</option>
<option value="speech">音声ブラウザ</option>
<option value="ruby">ルビ付き</option>
<option value="contrast" selected="selected">配色反転</option>
<option value="larger-text">文字拡大</option>
<option value="mobile">モバイル</option>
</select>
<input type="submit" value="表示" />
</p>
</form>
</div>