Message171246
The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip.
A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data.
Suggestion:
The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read. |
|
Date |
User |
Action |
Args |
2012-09-25 10:52:06 | christian.heimes | set | recipients:
+ christian.heimes |
2012-09-25 10:52:06 | christian.heimes | set | messageid: <1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za> |
2012-09-25 10:52:06 | christian.heimes | link | issue16043 messages |
2012-09-25 10:52:06 | christian.heimes | create | |
|