Марк Коренберг <socketp...@gmail.com> added the comment:
asynchat.py: class async_chat: handle_read():
-----------------------
elif isinstance(terminator, int) or isinstance(terminator, long):
# numeric terminator
n = terminator
if lb < n:
self.collect_incoming_data (self.ac_in_buffer)
self.ac_in_buffer = ''
self.terminator = self.terminator - lb
else:
self.collect_incoming_data (self.ac_in_buffer[:n])
self.ac_in_buffer = self.ac_in_buffer[n:]
self.terminator = 0
self.found_terminator()
------------------------------
suppose, terminator is -10. "if lb < n" never match. So, "else" branch executed.
next, it will call "self.collect_incoming_data (self.ac_in_buffer[:n])", to
push data to user. It should push some data from beginning of the buffer,
intead of this, total buffer except last 10 characters pushed.
Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the
buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail.
Such behaviour may break protocol parsing. In my case, malicious user pass
'Content-Length: -100' and totally break protocol parsing. Crafted values may
gain memory leak.
In any way, author of this code does not thought about negative n in
constructions [:n] or [n:].
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue11259>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
