Commit 6ca36919 authored by Tres Seaver's avatar Tres Seaver

Prevent zlib-based DoS when parsing the cookie containing paste tokens.

Fixes LP #1094049.
parent d1661eba
......@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased)
--------------------
- LP #1094049: prevent zlib-based DoS when parsing the cookie containing
paste tokens.
- Updated distributions:
- AccessControl = 2.13.12
......
......@@ -23,7 +23,7 @@ from urllib import quote
from urllib import unquote
import warnings
from zlib import compress
from zlib import decompress
from zlib import decompressobj
import transaction
from AccessControl import ClassSecurityInfo
......@@ -647,8 +647,12 @@ def absattr(attr):
def _cb_encode(d):
return quote(compress(dumps(d), 9))
def _cb_decode(s):
return loads(decompress(unquote(s)))
def _cb_decode(s, maxsize=8192):
dec = decompressobj()
data = dec.decompress(unquote(s), maxsize)
if dec.unconsumed_tail:
raise ValueError
return loads(data)
def cookie_path(request):
# Return a "path" value for use in a cookie that refers
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment