Gateway: Enforce a *plain-text* message size limit #171
Labels
Comments
|
Suggestion from A_D for how to enforce a plain-text limit: import gzip, io
incomingstream: bytes = None # wherever this comes from
stream_file = io.bytesIO(incomingstream) # this can be skipped if incomingstream is already a file (eg a socket)
gz_file = gzip.GzipFile(fileobj=stream_file)
buffer = b''
while len(buffer) < MAX_BUFFER:
buffer += gz_file.read(1024)And Spansh has supplied a 1GB gzip bomb, see https://discord.com/channels/164411426939600896/205369618284544000/934051715957792818 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have now confirmed that compression does allow for larger plain-text messages to make it through
bottle's body size check. It's only lookin at the 'raw', and thus compressed if applicable, size.Normal gzip will compress things to 10-11% their original size, and thus the 1MiB bottle limit means potentially a ~10MiB plain-text message.
However it's possible to craft nasty gzip bombs that are small on the wire but decompress to much smaller. Thus we should see if
zlibhas any way to limit the amount of memory/buffer it will use in decompression and throw an exception if exceded.The text was updated successfully, but these errors were encountered: