Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
python-doc.144
xmlrpc_gzip_27.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xmlrpc_gzip_27.patch of Package python-doc.144
Index: Python-2.7.7/Doc/library/xmlrpclib.rst =================================================================== --- Python-2.7.7.orig/Doc/library/xmlrpclib.rst 2014-05-31 20:58:38.000000000 +0200 +++ Python-2.7.7/Doc/library/xmlrpclib.rst 2014-06-20 14:51:40.282081132 +0200 @@ -127,6 +127,15 @@ *__dict__* attribute and don't have a base class that is marshalled in a special way. +.. data:: MAX_GZIP_DECODE + + The module constant specifies the amount of bytes that are decompressed by + :func:`gzip_decode`. The default value is *20 MB*. A value of *-1* disables + the protection. + + .. versionadded:: 2.7.4 + The constant was added to strengthen the module against gzip bomb + attacks. .. seealso:: Index: Python-2.7.7/Lib/xmlrpclib.py =================================================================== --- Python-2.7.7.orig/Lib/xmlrpclib.py 2014-05-31 20:58:39.000000000 +0200 +++ Python-2.7.7/Lib/xmlrpclib.py 2014-06-20 14:51:40.282081132 +0200 @@ -49,6 +49,7 @@ # 2003-07-12 gp Correct marshalling of Faults # 2003-10-31 mvl Add multicall support # 2004-08-20 mvl Bump minimum supported Python version to 2.1 +# 2013-01-20 ch Add workaround for gzip bomb vulnerability # # Copyright (c) 1999-2002 by Secret Labs AB. # Copyright (c) 1999-2002 by Fredrik Lundh. @@ -147,6 +148,10 @@ except ImportError: gzip = None #python can be built without zlib/gzip support +# Limit the maximum amount of decoded data that is decompressed. The +# limit prevents gzip bomb attacks. +MAX_GZIP_DECODE = 20 * 1024 * 1024 # 20 MB + # -------------------------------------------------------------------- # Internal stuff @@ -1178,11 +1183,16 @@ f = StringIO.StringIO(data) gzf = gzip.GzipFile(mode="rb", fileobj=f) try: - decoded = gzf.read() + if MAX_GZIP_DECODE < 0: # no limit + decoded = gzf.read() + else: + decoded = gzf.read(MAX_GZIP_DECODE + 1) except IOError: raise ValueError("invalid data") f.close() gzf.close() + if MAX_GZIP_DECODE >= 0 and len(decoded) > MAX_GZIP_DECODE: + raise ValueError("max gzipped payload length exceeded") return decoded ## Index: Python-2.7.7/Lib/test/test_xmlrpc.py =================================================================== --- Python-2.7.7.orig/Lib/test/test_xmlrpc.py 2014-05-31 20:58:39.000000000 +0200 +++ Python-2.7.7/Lib/test/test_xmlrpc.py 2014-06-20 14:51:59.993184645 +0200 @@ -24,6 +24,11 @@ gzip = None try: + import gzip +except ImportError: + gzip = None + +try: unicode except NameError: have_unicode = False @@ -737,7 +742,7 @@ with cm: p.pow(6, 8) - def test_gsip_response(self): + def test_gzip_response(self): t = self.Transport() p = xmlrpclib.ServerProxy(URL, transport=t) old = self.requestHandler.encode_threshold @@ -750,6 +755,27 @@ self.requestHandler.encode_threshold = old self.assertTrue(a>b) + def test_gzip_decode_limit(self): + data = '\0' * xmlrpclib.MAX_GZIP_DECODE + encoded = xmlrpclib.gzip_encode(data) + decoded = xmlrpclib.gzip_decode(encoded) + self.assertEqual(len(decoded), xmlrpclib.MAX_GZIP_DECODE) + + data = '\0' * (xmlrpclib.MAX_GZIP_DECODE + 1) + encoded = xmlrpclib.gzip_encode(data) + + with self.assertRaisesRegexp(ValueError, + "max gzipped payload length exceeded"): + xmlrpclib.gzip_decode(encoded) + + oldmax = xmlrpclib.MAX_GZIP_DECODE + try: + xmlrpclib.MAX_GZIP_DECODE = -1 + xmlrpclib.gzip_decode(encoded) + finally: + xmlrpclib.MAX_GZIP_DECODE = oldmax + + #Test special attributes of the ServerProxy object class ServerProxyTestCase(unittest.TestCase): def setUp(self):
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
