New submission from Christian Heimes: The xmlrpc client library is the only stdlib module that has a gzip decompression handler for compressed HTTP streams. The gzip_decode() function decompresses HTTP bodies that are compressed and sent with Accept-Encoding: x-gzip.
A malicious server can send a specially prepared HTTP request that can consume lots of memory. For example 1 GB of \0 bytes is less than 1 MB of gzip data. Suggestion: The gzip_decode() should only decode a sane amount of bytes (for example 50 MB) and raise an exception when more data is to be read. ---------- components: Library (Lib) messages: 171246 nosy: christian.heimes priority: normal severity: normal status: open title: xmlrpc: gzip_decode has unlimited read() type: resource usage versions: Python 2.7, Python 3.2, Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue16043> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
