Permalink
Browse files

Enforce a maximum packet length

Permanently fixes CVE-2015-5159 for all applications.
  • Loading branch information...
npmccallum committed Aug 3, 2015
1 parent e4a7119 commit f274aa6787cb8b3ec1cc12c440a56665b7231882
Showing with 6 additions and 1 deletion.
  1. +6 −1 kdcproxy/__init__.py
View
@@ -61,6 +61,7 @@ def __str__(self):
class Application:
MAX_LENGTH = 128 * 1024
SOCKTYPES = {
"tcp": socket.SOCK_STREAM,
"udp": socket.SOCK_DGRAM,
@@ -180,7 +181,11 @@ def __call__(self, env, start_response):
try:
length = int(env["CONTENT_LENGTH"])
except AttributeError:
length = -1
raise HTTPException(411, "Length required.")
if length < 0:
raise HTTPException(411, "Length required.")
if length > self.MAX_LENGTH:
raise HTTPException(413, "Request entity too large.")
try:
pr = codec.decode(env["wsgi.input"].read(length))
except codec.ParsingError as e:

0 comments on commit f274aa6

Please sign in to comment.