Message 171246 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	christian.heimes
Recipients	christian.heimes
Date	2012年09月25日.10:52:06
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za>

Content
The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip. A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of 0円 bytes is less than 1 MB of gzip data. Suggestion: The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.

Content

The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip.
A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of 0円 bytes is less than 1 MB of gzip data.
Suggestion:
The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.

History
Date	User	Action	Args
2012年09月25日 10:52:06	christian.heimes	set	recipients: + christian.heimes
2012年09月25日 10:52:06	christian.heimes	set	messageid: <1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za>
2012年09月25日 10:52:06	christian.heimes	link	issue16043 messages
2012年09月25日 10:52:06	christian.heimes	create

homepage