Roundup Robot added the comment:
New changeset d50096708b2d by Benjamin Peterson in branch '2.7':
add a default limit for the amount of data xmlrpclib.gzip_decode will return
(closes #16043)
https://hg.python.org/cpython/rev/d50096708b2d
--
nosy: +python-dev
resolution: - fixed
stage:
Roundup Robot added the comment:
New changeset a0368f81af9a by Benjamin Peterson in branch '3.2':
add a default limit for the amount of data xmlrpclib.gzip_decode will return
(closes #16043)
https://hg.python.org/cpython/rev/a0368f81af9a
New changeset 4a9418c6f8ae by Benjamin Peterson in
Matthias Klose added the comment:
updated patch to use an optional parameter max_decode.
--
nosy: +doko
Added file: http://bugs.python.org/file37343/xmlrpc_gzip_27_parameter.patch
___
Python tracker rep...@bugs.python.org
Matthias Klose added the comment:
document the new exception
--
Added file: http://bugs.python.org/file37344/xmlrpc_gzip_27_parameter.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
Changes by jan matejek jmate...@suse.cz:
--
nosy: +matejcik
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Python-bugs-list mailing
Jim Jewett added the comment:
I'm putting it back to release blocker, because 3.3 should decide whether to
fix it/call it security/remove itself from the list.
The patch contains several small changes. I like the spelling fix (gsip -
gzip) in a test method, but otherwise, I prefer the
Martin v. Löwis added the comment:
Demoting this from release blocker: apparently, the release-blocking property
was only intended for 2.6.9, which has been released.
--
nosy: +loewis
priority: release blocker - critical
___
Python tracker
Larry Hastings added the comment:
Ping. Can we get this fixed before beta 1?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Changes by Barry A. Warsaw ba...@python.org:
--
versions: -Python 2.6
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
versions: +Python 3.1
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
Barry A. Warsaw added the comment:
blocker for 2.6.9
--
priority: critical - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
Changes by Martin Panter vadmium...@gmail.com:
--
nosy: +vadmium
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Python-bugs-list
Benjamin Peterson added the comment:
Not blocking 2.7.4 as discussed on mailing list.
--
priority: release blocker - critical
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
Changes by Florent Xicluna florent.xicl...@gmail.com:
--
nosy: +flox
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Python-bugs-list
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
nosy: +Arfrever
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
Changes by Barry A. Warsaw ba...@python.org:
--
nosy: +barry
versions: +Python 2.6
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Christian Heimes added the comment:
+1 for a keyword argument
I also have to add a limit to GzipDecodedResponse().
Python 2.6 and 3.1 are not affected by the issue. The problematic code was
added in 2.7 and 3.2.
--
___
Python tracker
Christian Heimes added the comment:
CVE-2013-1753 gzip bomb and unbound read DoS vulnerabilities in Python's xmlrpc
library
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
Christian Heimes added the comment:
IMHO the patch should also limit the maximum amount of read bytes in
Transport.parse_response(). Do you agree?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
Serhiy Storchaka added the comment:
I think instead of global variable it will be better to add an optional
parameter for gzip_decode() (with a sane default value) and related functions.
Or at least in additional to it.
--
nosy: +serhiy.storchaka
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +benjamin.peterson, georg.brandl, larry
priority: critical - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
Christian Heimes added the comment:
The attached patch adds a limitation to xmlrpclib.gzip_decode().
--
assignee: - christian.heimes
dependencies: -gzip, bz2, lzma: add option to limit output size
keywords: +patch
priority: normal - critical
stage: - patch review
versions: +Python
New submission from Christian Heimes:
The xmlrpc client library is the only stdlib module that has a gzip
decompression handler for compressed HTTP streams. The gzip_decode() function
decompresses HTTP bodies that are compressed and sent with Accept-Encoding:
x-gzip.
A malicious server can
Changes by Ralf Schmitt python-b...@systemexit.de:
--
nosy: +schmir
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16043
___
___
Python-bugs-list
Christian Heimes added the comment:
Also see #15955
According to Nadeem it's not (easily) possible to detect how large the output
is going to be.
--
dependencies: +gzip, bz2, lzma: add method to get decompressed size
___
Python tracker
25 matches
Mail list logo