This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author socketpair
Recipients Arfrever, giampaolo.rodola, socketpair
Date 2011-02-21.04:56:58
SpamBayes Score 2.189648e-06
Marked as misclassified No
Message-id <>
Content class async_chat: handle_read():
            elif isinstance(terminator, int) or isinstance(terminator, long):
                # numeric terminator
                n = terminator
                if lb < n:
                    self.collect_incoming_data (self.ac_in_buffer)
                    self.ac_in_buffer = ''
                    self.terminator = self.terminator - lb
                    self.collect_incoming_data (self.ac_in_buffer[:n])
                    self.ac_in_buffer = self.ac_in_buffer[n:]
                    self.terminator = 0
suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed.
next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to push data to user. It should push some data from beginning of the buffer, intead of this, total buffer except last 10  characters pushed.

Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail.

Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak.

In any way, author of this code does not thought about negative n in constructions [:n] or [n:].
Date User Action Args
2011-02-21 04:56:59socketpairsetrecipients: + socketpair, giampaolo.rodola, Arfrever
2011-02-21 04:56:59socketpairsetmessageid: <>
2011-02-21 04:56:59socketpairlinkissue11259 messages
2011-02-21 04:56:58socketpaircreate