File xmlrpc_gzip_27.patch of Package python-doc
Index: Python-2.7.7/Doc/library/xmlrpclib.rst
===================================================================
--- Python-2.7.7.orig/Doc/library/xmlrpclib.rst 2014-05-31 20:58:38.000000000 +0200
+++ Python-2.7.7/Doc/library/xmlrpclib.rst 2014-06-20 14:51:40.282081132 +0200
@@ -127,6 +127,15 @@
*__dict__* attribute and don't have a base class that is marshalled in a
special way.
+.. data:: MAX_GZIP_DECODE
+
+ The module constant specifies the amount of bytes that are decompressed by
+ :func:`gzip_decode`. The default value is *20 MB*. A value of *-1* disables
+ the protection.
+
+ .. versionadded:: 2.7.4
+ The constant was added to strengthen the module against gzip bomb
+ attacks.
.. seealso::
Index: Python-2.7.7/Lib/xmlrpclib.py
===================================================================
--- Python-2.7.7.orig/Lib/xmlrpclib.py 2014-05-31 20:58:39.000000000 +0200
+++ Python-2.7.7/Lib/xmlrpclib.py 2014-06-20 14:51:40.282081132 +0200
@@ -49,6 +49,7 @@
# 2003-07-12 gp Correct marshalling of Faults
# 2003-10-31 mvl Add multicall support
# 2004-08-20 mvl Bump minimum supported Python version to 2.1
+# 2013-01-20 ch Add workaround for gzip bomb vulnerability
#
# Copyright (c) 1999-2002 by Secret Labs AB.
# Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -147,6 +148,10 @@
except ImportError:
gzip = None #python can be built without zlib/gzip support
+# Limit the maximum amount of decoded data that is decompressed. The
+# limit prevents gzip bomb attacks.
+MAX_GZIP_DECODE = 20 * 1024 * 1024 # 20 MB
+
# --------------------------------------------------------------------
# Internal stuff
@@ -1178,11 +1183,16 @@
f = StringIO.StringIO(data)
gzf = gzip.GzipFile(mode="rb", fileobj=f)
try:
- decoded = gzf.read()
+ if MAX_GZIP_DECODE < 0: # no limit
+ decoded = gzf.read()
+ else:
+ decoded = gzf.read(MAX_GZIP_DECODE + 1)
except IOError:
raise ValueError("invalid data")
f.close()
gzf.close()
+ if MAX_GZIP_DECODE >= 0 and len(decoded) > MAX_GZIP_DECODE:
+ raise ValueError("max gzipped payload length exceeded")
return decoded
##
Index: Python-2.7.7/Lib/test/test_xmlrpc.py
===================================================================
--- Python-2.7.7.orig/Lib/test/test_xmlrpc.py 2014-05-31 20:58:39.000000000 +0200
+++ Python-2.7.7/Lib/test/test_xmlrpc.py 2014-06-20 14:51:59.993184645 +0200
@@ -24,6 +24,11 @@
gzip = None
try:
+ import gzip
+except ImportError:
+ gzip = None
+
+try:
unicode
except NameError:
have_unicode = False
@@ -737,7 +742,7 @@
with cm:
p.pow(6, 8)
- def test_gsip_response(self):
+ def test_gzip_response(self):
t = self.Transport()
p = xmlrpclib.ServerProxy(URL, transport=t)
old = self.requestHandler.encode_threshold
@@ -750,6 +755,27 @@
self.requestHandler.encode_threshold = old
self.assertTrue(a>b)
+ def test_gzip_decode_limit(self):
+ data = '\0' * xmlrpclib.MAX_GZIP_DECODE
+ encoded = xmlrpclib.gzip_encode(data)
+ decoded = xmlrpclib.gzip_decode(encoded)
+ self.assertEqual(len(decoded), xmlrpclib.MAX_GZIP_DECODE)
+
+ data = '\0' * (xmlrpclib.MAX_GZIP_DECODE + 1)
+ encoded = xmlrpclib.gzip_encode(data)
+
+ with self.assertRaisesRegexp(ValueError,
+ "max gzipped payload length exceeded"):
+ xmlrpclib.gzip_decode(encoded)
+
+ oldmax = xmlrpclib.MAX_GZIP_DECODE
+ try:
+ xmlrpclib.MAX_GZIP_DECODE = -1
+ xmlrpclib.gzip_decode(encoded)
+ finally:
+ xmlrpclib.MAX_GZIP_DECODE = oldmax
+
+
#Test special attributes of the ServerProxy object
class ServerProxyTestCase(unittest.TestCase):
def setUp(self):
