[New-bugs-announce] [issue16043] xmlrpc: gzip_decode has unlimited read()
Christian Heimes
report at bugs.python.org
Tue Sep 25 12:52:06 CEST 2012
New submission from Christian Heimes:
The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip.
A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data.
Suggestion:
The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read.
----------
components: Library (Lib)
messages: 171246
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: xmlrpc: gzip_decode has unlimited read()
type: resource usage
versions: Python 2.7, Python 3.2, Python 3.3
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue16043>
_______________________________________
More information about the New-bugs-announce
mailing list