76 lines
2.8 KiB
Diff
76 lines
2.8 KiB
Diff
From dbb1dc2ef9a6c36e7b9139151d4db2ffab69eceb Mon Sep 17 00:00:00 2001
|
|
From: Illia Volochii <illia.volochii@gmail.com>
|
|
Date: Fri, 5 Dec 2025 16:41:33 +0200
|
|
Subject: [PATCH] Security fix for CVE-2025-66418
|
|
|
|
* Add a hard-coded limit for the decompression chain
|
|
|
|
* Reuse new list
|
|
|
|
(cherry picked from commit 24d7b67eac89f94e11003424bcf0d8f7b72222a8)
|
|
---
|
|
changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++
|
|
src/urllib3/response.py | 12 +++++++++++-
|
|
test/test_response.py | 10 ++++++++++
|
|
3 files changed, 25 insertions(+), 1 deletion(-)
|
|
create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
|
|
|
|
diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
|
|
new file mode 100644
|
|
index 00000000..6646eaa3
|
|
--- /dev/null
|
|
+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
|
|
@@ -0,0 +1,4 @@
|
|
+Fixed a security issue where an attacker could compose an HTTP response with
|
|
+virtually unlimited links in the ``Content-Encoding`` header, potentially
|
|
+leading to a denial of service (DoS) attack by exhausting system resources
|
|
+during decoding. The number of allowed chained encodings is now limited to 5.
|
|
diff --git a/src/urllib3/response.py b/src/urllib3/response.py
|
|
index 60bd98c9..ba366eef 100644
|
|
--- a/src/urllib3/response.py
|
|
+++ b/src/urllib3/response.py
|
|
@@ -163,8 +163,18 @@ class MultiDecoder(object):
|
|
they were applied.
|
|
"""
|
|
|
|
+ # Maximum allowed number of chained HTTP encodings in the
|
|
+ # Content-Encoding header.
|
|
+ max_decode_links = 5
|
|
+
|
|
def __init__(self, modes):
|
|
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(',')]
|
|
+ encodings = [m.strip() for m in modes.split(",")]
|
|
+ if len(encodings) > self.max_decode_links:
|
|
+ raise DecodeError(
|
|
+ "Too many content encodings in the chain: "
|
|
+ f"{len(encodings)} > {self.max_decode_links}"
|
|
+ )
|
|
+ self._decoders = [_get_decoder(e) for e in encodings]
|
|
|
|
def flush(self):
|
|
return self._decoders[0].flush()
|
|
diff --git a/test/test_response.py b/test/test_response.py
|
|
index 347276e8..bd083b7f 100644
|
|
--- a/test/test_response.py
|
|
+++ b/test/test_response.py
|
|
@@ -467,6 +467,16 @@ class TestResponse(object):
|
|
assert r.read(9 * 37) == b"foobarbaz" * 37
|
|
assert r.read() == b""
|
|
|
|
+ def test_read_multi_decoding_too_many_links(self):
|
|
+ fp = BytesIO(b"foo")
|
|
+ with pytest.raises(
|
|
+ DecodeError, match="Too many content encodings in the chain: 6 > 5"
|
|
+ ):
|
|
+ HTTPResponse(
|
|
+ fp,
|
|
+ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
|
|
+ )
|
|
+
|
|
def test_body_blob(self):
|
|
resp = HTTPResponse(b'foo')
|
|
assert resp.data == b'foo'
|
|
--
|
|
2.52.0
|
|
|