- SimpleTree.py: CGI escapes (merged from 2.6 / 2.7 audit).

  - Tree.py:  prevent DoS agains tree state cookie decompression (merged
    from 2.6 / 2.7 audit).

lib/python/ZTUtils/SimpleTree.py

@@ -12,10 +12,11 @@
 ##############################################################################
 __doc__='''Simple Tree classes
 
-$Id: SimpleTree.py,v 1.4 2002/10/03 21:08:40 mj Exp $'''
-__version__='$Revision: 1.4 $'[11:-2]
+$Id: SimpleTree.py,v 1.5 2004/01/15 23:00:17 tseaver Exp $'''
+__version__='$Revision: 1.5 $'[11:-2]
 
 from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
 
 class SimpleTreeNode(TreeNode):
     def branch(self):
@@ -35,9 +36,10 @@ class SimpleTreeNode(TreeNode):
         obid = self.id
         pre = self.aq_acquire('tree_pre')
 
-        return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
-                                                      exnum, obid, obid),
-        'img': '<img src="%s/p_/%s" alt="%s" border="0">' % (base, img, setst)}
+        return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+                        (pre, setst[0], exnum, obid, obid),
+                'img': '<img src="%s/p_/%s" alt="%s" border="0">' % \
+                        (escape(base, 1), img, setst)}
 
 
 class SimpleTreeMaker(TreeMaker):

lib/python/ZTUtils/Tree.py

@@ -12,8 +12,8 @@
 ##############################################################################
 __doc__='''Tree manipulation classes
 
-$Id: Tree.py,v 1.17 2003/12/11 18:02:15 evan Exp $'''
-__version__='$Revision: 1.17 $'[11:-2]
+$Id: Tree.py,v 1.18 2004/01/15 23:00:17 tseaver Exp $'''
+__version__='$Revision: 1.18 $'[11:-2]
 
 from Acquisition import Explicit
 from ComputedAttribute import ComputedAttribute
@@ -220,7 +220,7 @@ def simple_type(ob,
                            type(0L):1, type(None):1 }.has_key):
     return is_simple(type(ob))
 
-from binascii import b2a_base64, a2b_base64
+import base64
 from string import translate, maketrans
 import zlib
 
@@ -232,23 +232,11 @@ def b2a(s):
 
     Encoded string use only alpahnumeric characters, and "._-".
     '''
-    s = str(s)
-    if len(s) <= 57:
-        return translate(b2a_base64(s)[:-1], a2u_map)
-    frags = []
-    for i in range(0, len(s), 57):
-        frags.append(b2a_base64(s[i:i + 57])[:-1])
-    return translate(''.join(frags), a2u_map)
+    return translate(base64.encodestring(str(s)), a2u_map)
 
 def a2b(s):
     '''Decode a b2a-encoded string.'''
-    s = translate(s, u2a_map)
-    if len(s) <= 76:
-        return a2b_base64(s)
-    frags = []
-    for i in range(0, len(s), 76):
-        frags.append(a2b_base64(s[i:i + 76]))
-    return ''.join(frags)
+    return base64.decodestring(translate(s, u2a_map))
 
 def encodeExpansion(nodes, compress=1):
     '''Encode the expanded node ids of a tree into a string.
@@ -288,8 +276,9 @@ def decodeExpansion(s, nth=None, maxsize=8192):
     if s[0] == ':': # Compressed state
         dec = zlib.decompressobj()
         s = dec.decompress(a2b(s[1:]), maxsize)
-        if dec.decompress('', 1):
+        if dec.unconsumed_tail:
             raise ValueError('Encoded node map too large')
+        del dec
     
     map = m = {}
     mstack = []

lib/python/ZTUtils/tests/testTree.py

@@ -207,6 +207,16 @@ class TreeTests(unittest.TestCase):
 
         self.assertEqual(treeroot1.size, treeroot2.size)
         self.assertEqual(len(treeroot1), len(treeroot2))
+    
+    def testDecodeInputSizeLimit(self):
+        self.assertRaises(ValueError, Tree.decodeExpansion, 'x' * 10000)
+    
+    def testDecodeDecompressedSizeLimit(self):
+        import zlib
+        from ZTUtils.Tree import b2a, a2b, encodeExpansion, decodeExpansion
+        big = b2a(zlib.compress('x' * (1024*1100)))
+        self.assert_(len(big) < 8192) # Must be under the input size limit
+        self.assertRaises(ValueError, Tree.decodeExpansion, ':' + big)
 
 
 def test_suite():