Prevent zlib-based DoS when parsing the cookie containing paste tokens.

Fixes LP #1094049.

Prevent zlib-based DoS when parsing the cookie containing paste tokens.
Fixes LP #1094049.
9f37c696 · Tres Seaver · ba2292bb · 9f37c696 · 9f37c696
Commit 9f37c696 authored Jul 05, 2013 by Tres Seaver
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

doc/CHANGES.rst doc/CHANGES.rst +2 -0

src/OFS/CopySupport.py src/OFS/CopySupport.py +7 -3

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
 2.12.28 (unreleased)
 --------------------

+- LP #1094049:  prevent zlib-based DoS when parsing the cookie containing
+  paste tokens.

 2.12.27 (2013-05-01)
 --------------------

--- a/src/OFS/CopySupport.py
+++ b/src/OFS/CopySupport.py
@@ -25,7 +25,7 @@ from urllib import quote
 from urllib import unquote
 import warnings
 from zlib import compress
-from zlib import decompress
+from zlib import decompressobj
 import transaction

 from AccessControl import ClassSecurityInfo
@@ -649,8 +649,12 @@ def absattr(attr):
 def _cb_encode(d):
    return quote(compress(dumps(d), 9))

-def _cb_decode(s):
-    return loads(decompress(unquote(s)))
+def _cb_decode(s, maxsize=8192):
+    dec = decompressobj()
+    data = dec.decompress(unquote(s), maxsize)
+    if dec.unconsumed_tail:
+        raise ValueError
+    return loads(data)

 def cookie_path(request):
    # Return a "path" value for use in a cookie that refers