Message 171246 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes
Date	2012-09-25.10:52:06
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za>
In-reply-to

Content
The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip. A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data. Suggestion: The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.

The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip.

A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data.

Suggestion:
The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.

History
Date	User	Action	Args
2012-09-25 10:52:06	christian.heimes	set	recipients: + christian.heimes
2012-09-25 10:52:06	christian.heimes	set	messageid: <1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za>
2012-09-25 10:52:06	christian.heimes	link	issue16043 messages
2012-09-25 10:52:06	christian.heimes	create