mirror of https://github.com/python/cpython
Merged revisions 87373,87381 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/branches/py3k BaseHTTPServer isn't fixed, this would require too much refactoring. ........ r87373 | senthil.kumaran | 2010-12-18 17:55:23 +0100 (sam., 18 déc. 2010) | 3 lines Fix Issue6791 - Limit the HTTP header readline with _MAXLENGTH. Patch by Antoine Pitrou ........ r87381 | antoine.pitrou | 2010-12-18 18:59:18 +0100 (sam., 18 déc. 2010) | 3 lines NEWS entry for r87373 ........
This commit is contained in:
parent
c139a5683b
commit
d7b6ac66c1
|
@ -212,6 +212,9 @@ responses = {
|
|||
# maximal amount of data to read at one time in _safe_read
|
||||
MAXAMOUNT = 1048576
|
||||
|
||||
# maximal line length when calling readline().
|
||||
_MAXLINE = 65536
|
||||
|
||||
class HTTPMessage(mimetools.Message):
|
||||
|
||||
def addheader(self, key, value):
|
||||
|
@ -274,7 +277,9 @@ class HTTPMessage(mimetools.Message):
|
|||
except IOError:
|
||||
startofline = tell = None
|
||||
self.seekable = 0
|
||||
line = self.fp.readline()
|
||||
line = self.fp.readline(_MAXLINE + 1)
|
||||
if len(line) > _MAXLINE:
|
||||
raise LineTooLong("header line")
|
||||
if not line:
|
||||
self.status = 'EOF in headers'
|
||||
break
|
||||
|
@ -404,7 +409,10 @@ class HTTPResponse:
|
|||
break
|
||||
# skip the header from the 100 response
|
||||
while True:
|
||||
skip = self.fp.readline().strip()
|
||||
skip = self.fp.readline(_MAXLINE + 1)
|
||||
if len(skip) > _MAXLINE:
|
||||
raise LineTooLong("header line")
|
||||
skip = skip.strip()
|
||||
if not skip:
|
||||
break
|
||||
if self.debuglevel > 0:
|
||||
|
@ -563,7 +571,9 @@ class HTTPResponse:
|
|||
value = []
|
||||
while True:
|
||||
if chunk_left is None:
|
||||
line = self.fp.readline()
|
||||
line = self.fp.readline(_MAXLINE + 1)
|
||||
if len(line) > _MAXLINE:
|
||||
raise LineTooLong("chunk size")
|
||||
i = line.find(';')
|
||||
if i >= 0:
|
||||
line = line[:i] # strip chunk-extensions
|
||||
|
@ -598,7 +608,9 @@ class HTTPResponse:
|
|||
# read and discard trailer up to the CRLF terminator
|
||||
### note: we shouldn't have any trailers!
|
||||
while True:
|
||||
line = self.fp.readline()
|
||||
line = self.fp.readline(_MAXLINE + 1)
|
||||
if len(line) > _MAXLINE:
|
||||
raise LineTooLong("trailer line")
|
||||
if not line:
|
||||
# a vanishingly small number of sites EOF without
|
||||
# sending the trailer
|
||||
|
@ -730,7 +742,9 @@ class HTTPConnection:
|
|||
raise socket.error("Tunnel connection failed: %d %s" % (code,
|
||||
message.strip()))
|
||||
while True:
|
||||
line = response.fp.readline()
|
||||
line = response.fp.readline(_MAXLINE + 1)
|
||||
if len(line) > _MAXLINE:
|
||||
raise LineTooLong("header line")
|
||||
if line == '\r\n': break
|
||||
|
||||
|
||||
|
@ -1233,6 +1247,11 @@ class BadStatusLine(HTTPException):
|
|||
self.args = line,
|
||||
self.line = line
|
||||
|
||||
class LineTooLong(HTTPException):
|
||||
def __init__(self, line_type):
|
||||
HTTPException.__init__(self, "got more than %d bytes when reading %s"
|
||||
% (_MAXLINE, line_type))
|
||||
|
||||
# for backwards compatibility
|
||||
error = HTTPException
|
||||
|
||||
|
|
|
@ -319,6 +319,35 @@ class BasicTest(TestCase):
|
|||
self.assertTrue(hasattr(resp,'fileno'),
|
||||
'HTTPResponse should expose a fileno attribute')
|
||||
|
||||
# Test lines overflowing the max line size (_MAXLINE in http.client)
|
||||
|
||||
def test_overflowing_status_line(self):
|
||||
self.skipTest("disabled for HTTP 0.9 support")
|
||||
body = "HTTP/1.1 200 Ok" + "k" * 65536 + "\r\n"
|
||||
resp = httplib.HTTPResponse(FakeSocket(body))
|
||||
self.assertRaises((httplib.LineTooLong, httplib.BadStatusLine), resp.begin)
|
||||
|
||||
def test_overflowing_header_line(self):
|
||||
body = (
|
||||
'HTTP/1.1 200 OK\r\n'
|
||||
'X-Foo: bar' + 'r' * 65536 + '\r\n\r\n'
|
||||
)
|
||||
resp = httplib.HTTPResponse(FakeSocket(body))
|
||||
self.assertRaises(httplib.LineTooLong, resp.begin)
|
||||
|
||||
def test_overflowing_chunked_line(self):
|
||||
body = (
|
||||
'HTTP/1.1 200 OK\r\n'
|
||||
'Transfer-Encoding: chunked\r\n\r\n'
|
||||
+ '0' * 65536 + 'a\r\n'
|
||||
'hello world\r\n'
|
||||
'0\r\n'
|
||||
)
|
||||
resp = httplib.HTTPResponse(FakeSocket(body))
|
||||
resp.begin()
|
||||
self.assertRaises(httplib.LineTooLong, resp.read)
|
||||
|
||||
|
||||
class OfflineTest(TestCase):
|
||||
def test_responses(self):
|
||||
self.assertEqual(httplib.responses[httplib.NOT_FOUND], "Not Found")
|
||||
|
|
|
@ -22,6 +22,9 @@ Core and Builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- Issue #6791: Limit header line length (to 65535 bytes) in http.client,
|
||||
to avoid denial of services from the other party.
|
||||
|
||||
- Issue #10404: Use ctl-button-1 on OSX for the context menu in Idle.
|
||||
|
||||
- Issue #9907: Fix tab handling on OSX when using editline by calling
|
||||
|
|
Loading…
Reference in New Issue