mirror of https://github.com/python/cpython
Issue #10714: Limit length of incoming request in http.server to 65536 bytes
for security reasons. Initial patch by Ross Lagerwall.
This commit is contained in:
parent
12de8ac215
commit
c492437922
|
@ -358,7 +358,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
|
||||||
|
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
self.raw_requestline = self.rfile.readline()
|
self.raw_requestline = self.rfile.readline(65537)
|
||||||
|
if len(self.raw_requestline) > 65536:
|
||||||
|
self.requestline = ''
|
||||||
|
self.request_version = ''
|
||||||
|
self.command = ''
|
||||||
|
self.send_error(414)
|
||||||
|
return
|
||||||
if not self.raw_requestline:
|
if not self.raw_requestline:
|
||||||
self.close_connection = 1
|
self.close_connection = 1
|
||||||
return
|
return
|
||||||
|
|
|
@ -566,6 +566,12 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
|
||||||
self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
|
self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
|
||||||
self.handler = usual_handler # Restore to avoid breaking any subsequent tests.
|
self.handler = usual_handler # Restore to avoid breaking any subsequent tests.
|
||||||
|
|
||||||
|
def test_request_length(self):
|
||||||
|
# Issue #10714: huge request lines are discarded, to avoid Denial
|
||||||
|
# of Service attacks.
|
||||||
|
result = self.send_typical_request(b'GET ' + b'x' * 65537)
|
||||||
|
self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
|
||||||
|
self.assertFalse(self.handler.get_called)
|
||||||
|
|
||||||
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
|
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
|
||||||
""" Test url parsing """
|
""" Test url parsing """
|
||||||
|
|
|
@ -476,6 +476,7 @@ Andrej Krpic
|
||||||
Ivan Krstić
|
Ivan Krstić
|
||||||
Andrew Kuchling
|
Andrew Kuchling
|
||||||
Vladimir Kushnir
|
Vladimir Kushnir
|
||||||
|
Ross Lagerwall
|
||||||
Cameron Laird
|
Cameron Laird
|
||||||
Jean-Baptiste "Jiba" Lamy
|
Jean-Baptiste "Jiba" Lamy
|
||||||
Torsten Landschoff
|
Torsten Landschoff
|
||||||
|
|
|
@ -20,6 +20,9 @@ Core and Builtins
|
||||||
Library
|
Library
|
||||||
-------
|
-------
|
||||||
|
|
||||||
|
- Issue #10714: Limit length of incoming request in http.server to 65536 bytes
|
||||||
|
for security reasons. Initial patch by Ross Lagerwall.
|
||||||
|
|
||||||
- Issue #9558: Fix distutils.command.build_ext with VS 8.0.
|
- Issue #9558: Fix distutils.command.build_ext with VS 8.0.
|
||||||
|
|
||||||
- Issue #10667: Fast path for collections.Counter().
|
- Issue #10667: Fast path for collections.Counter().
|
||||||
|
|
Loading…
Reference in New Issue