[Zope-Checkins] CVS: Zope/lib/python/ZTUtils - Tree.py:1.6.6.3

Martijn Pieters mj@zope.com
Fri, 4 Oct 2002 10:47:27 -0400


Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv4153/lib/python/ZTUtils

Modified Files:
      Tag: Zope-2_6-branch
	Tree.py 
Log Message:
Limit the string length to be decoded; don't cater to DoS attacks (fixes
Collector issue #605). 

Also semi-revert an earlier change on detecting depth encodings; testing
only the first character *is* just fine (and cheaper and safer in the face
of a possible DoS attack).

Last but not least provide a changelog entry and rewrap an earlier entry I
made.


=== Zope/lib/python/ZTUtils/Tree.py 1.6.6.2 => 1.6.6.3 ===
--- Zope/lib/python/ZTUtils/Tree.py:1.6.6.2	Thu Oct  3 17:50:39 2002
+++ Zope/lib/python/ZTUtils/Tree.py	Fri Oct  4 10:47:26 2002
@@ -200,6 +200,9 @@
 
     If nth is an integer, also return the (map, key) pair for the nth entry.
     '''
+    if len(s) > 8192: # Set limit to 8K, to avoid DoS attacks.
+        raise ValueError('Encoded node map too large')
+    
     map = m = {}
     mstack = []
     pop = 0
@@ -207,7 +210,7 @@
     if nth is not None:
         nth_pair = (None, None)
     for step in s.split(':'):
-        if step == len(step) * '_':
+        if step[0] == '_':
             pop = len(step) - 1
             continue
         if pop < 0: