Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Issue #10714: Limit length of incoming request in http.server to 65536 bytes 

for security reasons.  Initial patch by Ross Lagerwall.
This commit is contained in:
Antoine Pitrou 2010-12-16 16:48:36 +00:00
parent 12de8ac215
commit c492437922
4 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Lib/http/server.py
View File

@ -358,7 +358,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
""" """
try: try:
self.raw_requestline = self.rfile.readline() self.raw_requestline = self.rfile.readline(65537)
if len(self.raw_requestline) > 65536:
self.requestline = ''
self.request_version = ''
self.command = ''
self.send_error(414)
return
if not self.raw_requestline: if not self.raw_requestline:
self.close_connection = 1 self.close_connection = 1
return return

6
Lib/test/test_httpservers.py
View File

@ -566,6 +566,12 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1) self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
self.handler = usual_handler # Restore to avoid breaking any subsequent tests. self.handler = usual_handler # Restore to avoid breaking any subsequent tests.
def test_request_length(self):
# Issue #10714: huge request lines are discarded, to avoid Denial
# of Service attacks.
result = self.send_typical_request(b'GET ' + b'x' * 65537)
self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
self.assertFalse(self.handler.get_called)
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
""" Test url parsing """ """ Test url parsing """

1
Misc/ACKS
View File

@ -476,6 +476,7 @@ Andrej Krpic
Ivan Krstić Ivan Krstić
Andrew Kuchling Andrew Kuchling
Vladimir Kushnir Vladimir Kushnir
Ross Lagerwall
Cameron Laird Cameron Laird
Jean-Baptiste "Jiba" Lamy Jean-Baptiste "Jiba" Lamy
Torsten Landschoff Torsten Landschoff

3
Misc/NEWS
View File

@ -20,6 +20,9 @@ Core and Builtins
Library Library
------- -------
- Issue #10714: Limit length of incoming request in http.server to 65536 bytes
for security reasons. Initial patch by Ross Lagerwall.
- Issue #9558: Fix distutils.command.build_ext with VS 8.0. - Issue #9558: Fix distutils.command.build_ext with VS 8.0.
- Issue #10667: Fast path for collections.Counter(). - Issue #10667: Fast path for collections.Counter().