[Python-checkins] cpython (merge 3.2 -> 3.3): merge 3.2 (#16043)

Sat Dec 6 02:36:15 CET 2014

https://hg.python.org/cpython/rev/4a9418c6f8ae
changeset: 93754:4a9418c6f8ae
branch: 3.3
parent: 93393:6c46859edfd7
parent: 93753:a0368f81af9a
user: Benjamin Peterson <benjamin at python.org>
date: Fri Dec 05 20:30:54 2014 -0500
summary:
 merge 3.2 (#16043)
files:
 Lib/test/test_xmlrpc.py | 23 ++++++++++++++++++++++-
 Lib/xmlrpc/client.py | 13 +++++++++++--
 Misc/NEWS | 3 +++
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -845,7 +845,7 @@
 p.pow(6, 8)
 p("close")()
 
- def test_gsip_response(self):
+ def test_gzip_response(self):
 t = self.Transport()
 p = xmlrpclib.ServerProxy(URL, transport=t)
 old = self.requestHandler.encode_threshold
@@ -859,6 +859,26 @@
 self.requestHandler.encode_threshold = old
 self.assertTrue(a>b)
 
+
+class GzipUtilTestCase(unittest.TestCase):
+
+ def test_gzip_decode_limit(self):
+ max_gzip_decode = 20 * 1024 * 1024
+ data = b'0円' * max_gzip_decode
+ encoded = xmlrpclib.gzip_encode(data)
+ decoded = xmlrpclib.gzip_decode(encoded)
+ self.assertEqual(len(decoded), max_gzip_decode)
+
+ data = b'0円' * (max_gzip_decode + 1)
+ encoded = xmlrpclib.gzip_encode(data)
+
+ with self.assertRaisesRegexp(ValueError,
+ "max gzipped payload length exceeded"):
+ xmlrpclib.gzip_decode(encoded)
+
+ xmlrpclib.gzip_decode(encoded, max_decode=-1)
+
+
 #Test special attributes of the ServerProxy object
 class ServerProxyTestCase(unittest.TestCase):
 def setUp(self):
@@ -1093,6 +1113,7 @@
 try:
 import gzip
 xmlrpc_tests.append(GzipServerTestCase)
+ xmlrpc_tests.append(GzipUtilTestCase)
 except ImportError:
 pass #gzip not supported in this build
 xmlrpc_tests.append(MultiPathServerTestCase)
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py
--- a/Lib/xmlrpc/client.py
+++ b/Lib/xmlrpc/client.py
@@ -49,6 +49,7 @@
 # 2003年07月12日 gp Correct marshalling of Faults
 # 2003年10月31日 mvl Add multicall support
 # 2004年08月20日 mvl Bump minimum supported Python version to 2.1
+# 2014年12月02日 ch/doko Add workaround for gzip bomb vulnerability
 #
 # Copyright (c) 1999-2002 by Secret Labs AB.
 # Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1031,10 +1032,13 @@
 # in the HTTP header, as described in RFC 1952
 #
 # @param data The encoded data
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
+# values for unlimited decoding
 # @return the unencoded data
 # @raises ValueError if data is not correctly coded.
+# @raises ValueError if max gzipped payload length exceeded
 
-def gzip_decode(data):
+def gzip_decode(data, max_decode=20971520):
 """gzip encoded data -> unencoded data
 
 Decode data using the gzip content encoding as described in RFC 1952
@@ -1044,11 +1048,16 @@
 f = BytesIO(data)
 gzf = gzip.GzipFile(mode="rb", fileobj=f)
 try:
- decoded = gzf.read()
+ if max_decode < 0: # no limit
+ decoded = gzf.read()
+ else:
+ decoded = gzf.read(max_decode + 1)
 except IOError:
 raise ValueError("invalid data")
 f.close()
 gzf.close()
+ if max_decode >= 0 and len(decoded) > max_decode:
+ raise ValueError("max gzipped payload length exceeded")
 return decoded
 
 ##
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -26,6 +26,9 @@
 Library
 -------
 
+- Issue #16043: Add a default limit for the amount of data xmlrpclib.gzip_decode
+ will return. This resolves CVE-2013-1753.
+
 - Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
 weakrefs.
 
-- 
Repository URL: https://hg.python.org/cpython
