[issue16043] xmlrpc: gzip_decode has unlimited read()
Jim Jewett
report at bugs.python.org
Tue Mar 18 16:00:45 CET 2014
Jim Jewett added the comment:
I'm putting it back to release blocker, because 3.3 should decide whether to fix it/call it security/remove itself from the list.
The patch contains several small changes. I like the spelling fix (gsip -> gzip) in a test method, but otherwise, I prefer the alternative solution of an additional function parameter with a default.
I would prefer that the marker for "no limit" be None, rather than -1, 0, or anything less than 0.
I also don't see the point of raising a too-much-data ValueError *after* decoding. While that *might* mean we set the default too low, all we would really know for sure is that there would be a bug in gzip.GzipFile().read -- and ValueError suggests otherwise.
----------
nosy: +Jim.Jewett
priority: critical -> release blocker
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue16043>
_______________________________________
More information about the Python-bugs-list
mailing list