base/SOURCES/00199-CVE-2013-1753.patch


# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1417828515 18000
# Node ID d50096708b2d701937e78f525446d729fc28db88
# Parent  923aac88a3cc76a95d5a04d9d3ece245147a8064
add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)

diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -737,7 +737,7 @@ class GzipServerTestCase(BaseServerTestC
         with cm:
             p.pow(6, 8)
 
-    def test_gsip_response(self):
+    def test_gzip_response(self):
         t = self.Transport()
         p = xmlrpclib.ServerProxy(URL, transport=t)
         old = self.requestHandler.encode_threshold
@@ -750,6 +750,23 @@ class GzipServerTestCase(BaseServerTestC
         self.requestHandler.encode_threshold = old
         self.assertTrue(a>b)
 
+    def test_gzip_decode_limit(self):
+        max_gzip_decode = 20 * 1024 * 1024
+        data = '\0' * max_gzip_decode
+        encoded = xmlrpclib.gzip_encode(data)
+        decoded = xmlrpclib.gzip_decode(encoded)
+        self.assertEqual(len(decoded), max_gzip_decode)
+
+        data = '\0' * (max_gzip_decode + 1)
+        encoded = xmlrpclib.gzip_encode(data)
+
+        with self.assertRaisesRegexp(ValueError,
+                                     "max gzipped payload length exceeded"):
+            xmlrpclib.gzip_decode(encoded)
+
+        xmlrpclib.gzip_decode(encoded, max_decode=-1)
+
+
 #Test special attributes of the ServerProxy object
 class ServerProxyTestCase(unittest.TestCase):
     def setUp(self):
diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py
--- a/Lib/xmlrpclib.py
+++ b/Lib/xmlrpclib.py
@@ -49,6 +49,7 @@
 # 2003-07-12 gp  Correct marshalling of Faults
 # 2003-10-31 mvl Add multicall support
 # 2004-08-20 mvl Bump minimum supported Python version to 2.1
+# 2014-12-02 ch/doko  Add workaround for gzip bomb vulnerability
 #
 # Copyright (c) 1999-2002 by Secret Labs AB.
 # Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -1165,10 +1166,13 @@ def gzip_encode(data):
 # in the HTTP header, as described in RFC 1952
 #
 # @param data The encoded data
+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative
+#    values for unlimited decoding
 # @return the unencoded data
 # @raises ValueError if data is not correctly coded.
+# @raises ValueError if max gzipped payload length exceeded
 
-def gzip_decode(data):
+def gzip_decode(data, max_decode=20971520):
     """gzip encoded data -> unencoded data
 
     Decode data using the gzip content encoding as described in RFC 1952
@@ -1178,11 +1182,16 @@ def gzip_decode(data):
     f = StringIO.StringIO(data)
     gzf = gzip.GzipFile(mode="rb", fileobj=f)
     try:
-        decoded = gzf.read()
+        if max_decode < 0: # no limit
+            decoded = gzf.read()
+        else:
+            decoded = gzf.read(max_decode + 1)
     except IOError:
         raise ValueError("invalid data")
     f.close()
     gzf.close()
+    if max_decode >= 0 and len(decoded) > max_decode:
+        raise ValueError("max gzipped payload length exceeded")
     return decoded
 
 ##
python package update Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org> 4 years ago
			`# HG changeset patch`
			`# User Benjamin Peterson <benjamin@python.org>`
			`# Date 1417828515 18000`
			`# Node ID d50096708b2d701937e78f525446d729fc28db88`
			`# Parent 923aac88a3cc76a95d5a04d9d3ece245147a8064`
			`add a default limit for the amount of data xmlrpclib.gzip_decode will return (closes #16043)`

			`diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py`
			`--- a/Lib/test/test_xmlrpc.py`
			`+++ b/Lib/test/test_xmlrpc.py`
			`@@ -737,7 +737,7 @@ class GzipServerTestCase(BaseServerTestC`
			`with cm:`
			`p.pow(6, 8)`

			`- def test_gsip_response(self):`
			`+ def test_gzip_response(self):`
			`t = self.Transport()`
			`p = xmlrpclib.ServerProxy(URL, transport=t)`
			`old = self.requestHandler.encode_threshold`
			`@@ -750,6 +750,23 @@ class GzipServerTestCase(BaseServerTestC`
			`self.requestHandler.encode_threshold = old`
			`self.assertTrue(a>b)`

			`+ def test_gzip_decode_limit(self):`
			`+ max_gzip_decode = 20 * 1024 * 1024`
			`+ data = '\0' * max_gzip_decode`
			`+ encoded = xmlrpclib.gzip_encode(data)`
			`+ decoded = xmlrpclib.gzip_decode(encoded)`
			`+ self.assertEqual(len(decoded), max_gzip_decode)`
			`+`
			`+ data = '\0' * (max_gzip_decode + 1)`
			`+ encoded = xmlrpclib.gzip_encode(data)`
			`+`
			`+ with self.assertRaisesRegexp(ValueError,`
			`+ "max gzipped payload length exceeded"):`
			`+ xmlrpclib.gzip_decode(encoded)`
			`+`
			`+ xmlrpclib.gzip_decode(encoded, max_decode=-1)`
			`+`
			`+`
			`#Test special attributes of the ServerProxy object`
			`class ServerProxyTestCase(unittest.TestCase):`
			`def setUp(self):`
			`diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py`
			`--- a/Lib/xmlrpclib.py`
			`+++ b/Lib/xmlrpclib.py`
			`@@ -49,6 +49,7 @@`
			`# 2003-07-12 gp Correct marshalling of Faults`
			`# 2003-10-31 mvl Add multicall support`
			`# 2004-08-20 mvl Bump minimum supported Python version to 2.1`
			`+# 2014-12-02 ch/doko Add workaround for gzip bomb vulnerability`
			`#`
			`# Copyright (c) 1999-2002 by Secret Labs AB.`
			`# Copyright (c) 1999-2002 by Fredrik Lundh.`
			`@@ -1165,10 +1166,13 @@ def gzip_encode(data):`
			`# in the HTTP header, as described in RFC 1952`
			`#`
			`# @param data The encoded data`
			`+# @keyparam max_decode Maximum bytes to decode (20MB default), use negative`
			`+# values for unlimited decoding`
			`# @return the unencoded data`
			`# @raises ValueError if data is not correctly coded.`
			`+# @raises ValueError if max gzipped payload length exceeded`

			`-def gzip_decode(data):`
			`+def gzip_decode(data, max_decode=20971520):`
			`"""gzip encoded data -> unencoded data`

			`Decode data using the gzip content encoding as described in RFC 1952`
			`@@ -1178,11 +1182,16 @@ def gzip_decode(data):`
			`f = StringIO.StringIO(data)`
			`gzf = gzip.GzipFile(mode="rb", fileobj=f)`
			`try:`
			`- decoded = gzf.read()`
			`+ if max_decode < 0: # no limit`
			`+ decoded = gzf.read()`
			`+ else:`
			`+ decoded = gzf.read(max_decode + 1)`
			`except IOError:`
			`raise ValueError("invalid data")`
			`f.close()`
			`gzf.close()`
			`+ if max_decode >= 0 and len(decoded) > max_decode:`
			`+ raise ValueError("max gzipped payload length exceeded")`
			`return decoded`

			`##`