[ZPT] CVS: Zope/lib/python/ZTUtils - Tree.py:1.6.6.3
Martijn Pieters
mj@zope.com
Fri, 4 Oct 2002 10:47:27 -0400
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv4153/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_6-branch
Tree.py
Log Message:
Limit the string length to be decoded; don't cater to DoS attacks (fixes
Collector issue #605).
Also semi-revert an earlier change on detecting depth encodings; testing
only the first character *is* just fine (and cheaper and safer in the face
of a possible DoS attack).
Last but not least provide a changelog entry and rewrap an earlier entry I
made.
=== Zope/lib/python/ZTUtils/Tree.py 1.6.6.2 => 1.6.6.3 ===
--- Zope/lib/python/ZTUtils/Tree.py:1.6.6.2 Thu Oct 3 17:50:39 2002
+++ Zope/lib/python/ZTUtils/Tree.py Fri Oct 4 10:47:26 2002
@@ -200,6 +200,9 @@
If nth is an integer, also return the (map, key) pair for the nth entry.
'''
+ if len(s) > 8192: # Set limit to 8K, to avoid DoS attacks.
+ raise ValueError('Encoded node map too large')
+
map = m = {}
mstack = []
pop = 0
@@ -207,7 +210,7 @@
if nth is not None:
nth_pair = (None, None)
for step in s.split(':'):
- if step == len(step) * '_':
+ if step[0] == '_':
pop = len(step) - 1
continue
if pop < 0: