python/xmlrpc_gzip_27.patch

Index: Python-2.7.7/Doc/library/xmlrpclib.rst
===================================================================
--- Python-2.7.7.orig/Doc/library/xmlrpclib.rst	2014-05-31 20:58:38.000000000 +0200
+++ Python-2.7.7/Doc/library/xmlrpclib.rst	2014-06-20 14:51:40.282081132 +0200
@@ -127,6 +127,15 @@
       *__dict__* attribute and don't have a base class that is marshalled in a
       special way.
 
+.. data:: MAX_GZIP_DECODE
+
+   The module constant specifies the amount of bytes that are decompressed by
+   :func:`gzip_decode`. The default value is *20 MB*. A value of *-1* disables
+   the protection.
+
+   .. versionadded:: 2.7.4
+      The constant was added to strengthen the module against gzip bomb
+      attacks.
 
 .. seealso::
 
Index: Python-2.7.7/Lib/xmlrpclib.py
===================================================================
--- Python-2.7.7.orig/Lib/xmlrpclib.py	2014-05-31 20:58:39.000000000 +0200
+++ Python-2.7.7/Lib/xmlrpclib.py	2014-06-20 14:51:40.282081132 +0200
@@ -49,6 +49,7 @@
 # 2003-07-12 gp  Correct marshalling of Faults
 # 2003-10-31 mvl Add multicall support
 # 2004-08-20 mvl Bump minimum supported Python version to 2.1
+# 2013-01-20 ch  Add workaround for gzip bomb vulnerability
 #
 # Copyright (c) 1999-2002 by Secret Labs AB.
 # Copyright (c) 1999-2002 by Fredrik Lundh.
@@ -147,6 +148,10 @@
 except ImportError:
     gzip = None #python can be built without zlib/gzip support
 
+# Limit the maximum amount of decoded data that is decompressed. The
+# limit prevents gzip bomb attacks.
+MAX_GZIP_DECODE = 20 * 1024 * 1024 # 20 MB
+
 # --------------------------------------------------------------------
 # Internal stuff
 
@@ -1178,11 +1183,16 @@
     f = StringIO.StringIO(data)
     gzf = gzip.GzipFile(mode="rb", fileobj=f)
     try:
-        decoded = gzf.read()
+        if MAX_GZIP_DECODE < 0: # no limit
+            decoded = gzf.read()
+        else:
+            decoded = gzf.read(MAX_GZIP_DECODE + 1)
     except IOError:
         raise ValueError("invalid data")
     f.close()
     gzf.close()
+    if MAX_GZIP_DECODE >= 0 and len(decoded) > MAX_GZIP_DECODE:
+        raise ValueError("max gzipped payload length exceeded")
     return decoded
 
 ##
Index: Python-2.7.7/Lib/test/test_xmlrpc.py
===================================================================
--- Python-2.7.7.orig/Lib/test/test_xmlrpc.py	2014-05-31 20:58:39.000000000 +0200
+++ Python-2.7.7/Lib/test/test_xmlrpc.py	2014-06-20 14:51:59.993184645 +0200
@@ -24,6 +24,11 @@
     gzip = None
 
 try:
+    import gzip
+except ImportError:
+    gzip = None
+
+try:
     unicode
 except NameError:
     have_unicode = False
@@ -737,7 +742,7 @@
         with cm:
             p.pow(6, 8)
 
-    def test_gsip_response(self):
+    def test_gzip_response(self):
         t = self.Transport()
         p = xmlrpclib.ServerProxy(URL, transport=t)
         old = self.requestHandler.encode_threshold
@@ -750,6 +755,27 @@
         self.requestHandler.encode_threshold = old
         self.assertTrue(a>b)
 
+    def test_gzip_decode_limit(self):
+        data = '\0' * xmlrpclib.MAX_GZIP_DECODE
+        encoded = xmlrpclib.gzip_encode(data)
+        decoded = xmlrpclib.gzip_decode(encoded)
+        self.assertEqual(len(decoded), xmlrpclib.MAX_GZIP_DECODE)
+
+        data = '\0' * (xmlrpclib.MAX_GZIP_DECODE + 1)
+        encoded = xmlrpclib.gzip_encode(data)
+
+        with self.assertRaisesRegexp(ValueError,
+                                     "max gzipped payload length exceeded"):
+            xmlrpclib.gzip_decode(encoded)
+
+        oldmax = xmlrpclib.MAX_GZIP_DECODE
+        try:
+            xmlrpclib.MAX_GZIP_DECODE = -1
+            xmlrpclib.gzip_decode(encoded)
+        finally:
+            xmlrpclib.MAX_GZIP_DECODE = oldmax
+
+
 #Test special attributes of the ServerProxy object
 class ServerProxyTestCase(unittest.TestCase):
     def setUp(self):