Message 171246 - Python tracker

Message171246

Author	christian.heimes
Recipients	christian.heimes
Date	2012-09-25.10:52:06
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za>
In-reply-to

Content
The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip. A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data. Suggestion: The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.

Content

The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip.

A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data.

Suggestion:
The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.

History
Date	User	Action	Args
2012-09-25 10:52:06	christian.heimes	set	recipients: + christian.heimes
2012-09-25 10:52:06	christian.heimes	set	messageid: <1348570326.9.0.587983624118.issue16043@psf.upfronthosting.co.za>
2012-09-25 10:52:06	christian.heimes	link	issue16043 messages
2012-09-25 10:52:06	christian.heimes	create