[Zope-Checkins] CVS: Releases/Zope/lib/python/ZTUtils -
Tree.py:1.15.2.3
Evan Simpson
evan at 4-am.com
Thu Dec 11 13:03:56 EST 2003
Update of /cvs-repository/Releases/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv11474/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_7-branch
Tree.py
Log Message:
Collector #1012: A carefully crafted compressed tree state could violate size limit. Limit is no longer hardcoded.
=== Releases/Zope/lib/python/ZTUtils/Tree.py 1.15.2.2 => 1.15.2.3 ===
--- Releases/Zope/lib/python/ZTUtils/Tree.py:1.15.2.2 Mon Jul 21 12:37:40 2003
+++ Releases/Zope/lib/python/ZTUtils/Tree.py Thu Dec 11 13:03:56 2003
@@ -277,16 +277,19 @@
result = zresult
return result
-def decodeExpansion(s, nth=None):
+def decodeExpansion(s, nth=None, maxsize=8192):
'''Decode an expanded node map from a string.
If nth is an integer, also return the (map, key) pair for the nth entry.
'''
- if len(s) > 8192: # Set limit to 8K, to avoid DoS attacks.
+ if len(s) > maxsize: # Set limit to avoid DoS attacks.
raise ValueError('Encoded node map too large')
if s[0] == ':': # Compressed state
- s = zlib.decompress(a2b(s[1:]))
+ dec = zlib.decompressobj()
+ s = dec.decompress(a2b(s[1:]), maxsize)
+ if dec.decompress('', 1):
+ raise ValueError('Encoded node map too large')
map = m = {}
mstack = []
More information about the Zope-Checkins
mailing list