Recommend max_buffer_len instead of max_(str|bin|ext)_len

author: Inada Naoki <songofacandy@gmail.com> 2019-01-25 21:27:46 +0900
committer: Inada Naoki <songofacandy@gmail.com> 2019-01-25 21:27:46 +0900
commit: 280308e8ced50322414fd4f7426d56093a57dbf1 (patch)
tree: 272b1a01f5f0e0640802bb64e60c53c5e86e6b7e
parent: 9951b894555e4f9c7120375028e686f7420de92a (diff)
download: msgpack-python-280308e8ced50322414fd4f7426d56093a57dbf1.tar.gz
3 files changed, 34 insertions, 13 deletions
diff --git a/ChangeLog.rst b/ChangeLog.rst
index 651ba62..2c988db 100644
--- a/ChangeLog.rst
+++ b/ChangeLog.rst
@@ -1,3 +1,21 @@
+0.6.1
+======
+
+Release Date: 2019-01-25
+
+This release is for mitigating pain caused by v0.6.1 reduced max input limits
+for security reason.
+
+* ``unpackb(data)`` configures ``max_*_len`` options from ``len(data)``,
+  instead of static default sizes.
+
+* ``Unpacker(max_buffer_len=N)`` configures ``max_*_len`` options from ``N``,
+  instead of static default sizes.
+
+* ``max_bin_len``, ``max_str_len``, and ``max_ext_len`` are deprecated.
+  Since this is minor release, it's document only deprecation.
+
+
 0.6.0
 ======
 
diff --git a/msgpack/_unpacker.pyx b/msgpack/_unpacker.pyx
index 38119c0..3c6d59e 100644
--- a/msgpack/_unpacker.pyx
+++ b/msgpack/_unpacker.pyx
@@ -273,9 +273,11 @@ cdef class Unpacker(object):
         You should set this parameter when unpacking data from untrusted source.
 
     :param int max_str_len:
+        Deprecated, use *max_buffer_size* instead.
         Limits max length of str. (default: max_buffer_size or 1024*1024)
 
     :param int max_bin_len:
+        Deprecated, use *max_buffer_size* instead.
         Limits max length of bin. (default: max_buffer_size or 1024*1024)
 
     :param int max_array_len:
@@ -285,10 +287,11 @@ cdef class Unpacker(object):
         Limits max length of map. (default: max_buffer_size//2 or 32*1024)
 
     :param int max_ext_len:
+        Deprecated, use *max_buffer_size* instead.
         Limits max size of ext type. (default: max_buffer_size or 1024*1024)
 
     :param str encoding:
-        Deprecated, use raw instead.
+        Deprecated, use ``raw=False`` instead.
         Encoding used for decoding msgpack raw.
         If it is None (default), msgpack raw is deserialized to Python bytes.
 
@@ -298,13 +301,13 @@ cdef class Unpacker(object):
 
     Example of streaming deserialize from file-like object::
 
-        unpacker = Unpacker(file_like, raw=False)
+        unpacker = Unpacker(file_like, raw=False, max_buffer_size=10*1024*1024)
         for o in unpacker:
             process(o)
 
     Example of streaming deserialize from socket::
 
-        unpacker = Unpacker(raw=False)
+        unpacker = Unpacker(raw=False, max_buffer_size=10*1024*1024)
         while True:
             buf = sock.recv(1024**2)
             if not buf:
diff --git a/msgpack/fallback.py b/msgpack/fallback.py
index 7524448..1aa3bdf 100644
--- a/msgpack/fallback.py
+++ b/msgpack/fallback.py
@@ -208,12 +208,12 @@ class Unpacker(object):
         You should set this parameter when unpacking data from untrusted source.
 
     :param int max_str_len:
-        (deprecated) Limits max length of str.
-        (default: max_buffer_size or 1024*1024)
+        Deprecated, use *max_buffer_size* instead.
+        Limits max length of str. (default: max_buffer_size or 1024*1024)
 
     :param int max_bin_len:
-        (deprecated) Limits max length of bin.
-        (default: max_buffer_size or 1024*1024)
+        Deprecated, use *max_buffer_size* instead.
+        Limits max length of bin. (default: max_buffer_size or 1024*1024)
 
     :param int max_array_len:
         Limits max length of array.
@@ -224,18 +224,18 @@ class Unpacker(object):
         (default: max_buffer_size//2 or 32*1024)
 
     :param int max_ext_len:
-        (deprecated) Limits max size of ext type.
-        (default: max_buffer_size or 1024*1024)
+        Deprecated, use *max_buffer_size* instead.
+        Limits max size of ext type.  (default: max_buffer_size or 1024*1024)
 
-    example of streaming deserialize from file-like object::
+    Example of streaming deserialize from file-like object::
 
-        unpacker = Unpacker(file_like, raw=False)
+        unpacker = Unpacker(file_like, raw=False, max_buffer_size=10*1024*1024)
         for o in unpacker:
             process(o)
 
-    example of streaming deserialize from socket::
+    Example of streaming deserialize from socket::
 
-        unpacker = Unpacker(raw=False)
+        unpacker = Unpacker(raw=False, max_buffer_size=10*1024*1024)
         while True:
             buf = sock.recv(1024**2)
             if not buf:
author	Inada Naoki <songofacandy@gmail.com>	2019-01-25 21:27:46 +0900
committer	Inada Naoki <songofacandy@gmail.com>	2019-01-25 21:27:46 +0900
commit	280308e8ced50322414fd4f7426d56093a57dbf1 (patch)
tree	272b1a01f5f0e0640802bb64e60c53c5e86e6b7e
parent	9951b894555e4f9c7120375028e686f7420de92a (diff)
download	msgpack-python-280308e8ced50322414fd4f7426d56093a57dbf1.tar.gz