From ff1bbba92aad261df1ebd8fd8cc189c104e113b0 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Sat, 18 Dec 2010 18:04:38 +0000
Subject: [PATCH] Merged revisions 87373,87381 via svnmerge from
 svn+ssh://pythondev@svn.python.org/python/branches/py3k
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

........
  r87373 | senthil.kumaran | 2010-12-18 17:55:23 +0100 (sam., 18 déc. 2010) | 3 lines

  Fix Issue6791 - Limit the HTTP header readline with _MAXLENGTH. Patch by Antoine Pitrou
........
  r87381 | antoine.pitrou | 2010-12-18 18:59:18 +0100 (sam., 18 déc. 2010) | 3 lines

  NEWS entry for r87373
........
---
 Lib/http/client.py           | 29 ++++++++++++++++++++++++-----
 Lib/http/server.py           |  8 ++++++--
 Lib/test/test_httplib.py     | 28 ++++++++++++++++++++++++++++
 Lib/test/test_httpservers.py |  7 +++++++
 Misc/NEWS                    |  3 +++
 5 files changed, 68 insertions(+), 7 deletions(-)

diff --git a/Lib/http/client.py b/Lib/http/client.py
index bd092c215ef..296dafb2c0d 100644
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@@ -203,6 +203,9 @@ responses = {
 # maximal amount of data to read at one time in _safe_read
 MAXAMOUNT = 1048576
 
+# maximal line length when calling readline().
+_MAXLINE = 65536
+
 class HTTPMessage(email.message.Message):
     # XXX The only usage of this method is in
     # http.server.CGIHTTPRequestHandler.  Maybe move the code there so
@@ -245,7 +248,9 @@ def parse_headers(fp, _class=HTTPMessage):
     """
     headers = []
     while True:
-        line = fp.readline()
+        line = fp.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise LineTooLong("header line")
         headers.append(line)
         if line in (b'\r\n', b'\n', b''):
             break
@@ -349,7 +354,10 @@ class HTTPResponse(io.RawIOBase):
                 break
             # skip the header from the 100 response
             while True:
-                skip = self.fp.readline().strip()
+                skip = self.fp.readline(_MAXLINE + 1)
+                if len(skip) > _MAXLINE:
+                    raise LineTooLong("header line")
+                skip = skip.strip()
                 if not skip:
                     break
                 if self.debuglevel > 0:
@@ -525,7 +533,9 @@ class HTTPResponse(io.RawIOBase):
         value = []
         while True:
             if chunk_left is None:
-                line = self.fp.readline()
+                line = self.fp.readline(_MAXLINE + 1)
+                if len(line) > _MAXLINE:
+                    raise LineTooLong("chunk size")
                 i = line.find(b";")
                 if i >= 0:
                     line = line[:i] # strip chunk-extensions
@@ -560,7 +570,9 @@ class HTTPResponse(io.RawIOBase):
         # read and discard trailer up to the CRLF terminator
         ### note: we shouldn't have any trailers!
         while True:
-            line = self.fp.readline()
+            line = self.fp.readline(_MAXLINE + 1)
+            if len(line) > _MAXLINE:
+                raise LineTooLong("trailer line")
             if not line:
                 # a vanishingly small number of sites EOF without
                 # sending the trailer
@@ -703,7 +715,9 @@ class HTTPConnection:
             raise socket.error("Tunnel connection failed: %d %s" % (code,
                                                                     message.strip()))
         while True:
-            line = response.fp.readline()
+            line = response.fp.readline(_MAXLINE + 1)
+            if len(line) > _MAXLINE:
+                raise LineTooLong("header line")
             if line == b'\r\n':
                 break
 
@@ -1133,6 +1147,11 @@ class BadStatusLine(HTTPException):
         self.args = line,
         self.line = line
 
+class LineTooLong(HTTPException):
+    def __init__(self, line_type):
+        HTTPException.__init__(self, "got more than %d bytes when reading %s"
+                                     % (_MAXLINE, line_type))
+
 # for backwards compatibility
 error = HTTPException
 
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 5ac6c0d204e..8de604a739e 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -314,8 +314,12 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
         self.command, self.path, self.request_version = command, path, version
 
         # Examine the headers and look for a Connection directive.
-        self.headers = http.client.parse_headers(self.rfile,
-                                                 _class=self.MessageClass)
+        try:
+            self.headers = http.client.parse_headers(self.rfile,
+                                                     _class=self.MessageClass)
+        except http.client.LineTooLong:
+            self.send_error(400, "Line too long")
+            return False
 
         conntype = self.headers.get('Connection', "")
         if conntype.lower() == 'close':
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 4c02d909bc8..43985a66529 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -303,6 +303,34 @@ class BasicTest(TestCase):
         self.assertEqual("Basic realm=\"example\"",
                          resp.getheader("www-authenticate"))
 
+    # Test lines overflowing the max line size (_MAXLINE in http.client)
+
+    def test_overflowing_status_line(self):
+        self.skipTest("disabled for HTTP 0.9 support")
+        body = "HTTP/1.1 200 Ok" + "k" * 65536 + "\r\n"
+        resp = client.HTTPResponse(FakeSocket(body))
+        self.assertRaises((client.LineTooLong, client.BadStatusLine), resp.begin)
+
+    def test_overflowing_header_line(self):
+        body = (
+            'HTTP/1.1 200 OK\r\n'
+            'X-Foo: bar' + 'r' * 65536 + '\r\n\r\n'
+        )
+        resp = client.HTTPResponse(FakeSocket(body))
+        self.assertRaises(client.LineTooLong, resp.begin)
+
+    def test_overflowing_chunked_line(self):
+        body = (
+            'HTTP/1.1 200 OK\r\n'
+            'Transfer-Encoding: chunked\r\n\r\n'
+            + '0' * 65536 + 'a\r\n'
+            'hello world\r\n'
+            '0\r\n'
+        )
+        resp = client.HTTPResponse(FakeSocket(body))
+        resp.begin()
+        self.assertRaises(client.LineTooLong, resp.read)
+
 class OfflineTest(TestCase):
     def test_responses(self):
         self.assertEqual(client.responses[client.NOT_FOUND], "Not Found")
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index 622827938ed..4f1ecff4a91 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -144,6 +144,13 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
         self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
         self.assertFalse(self.handler.get_called)
 
+    def test_header_length(self):
+        # Issue #6791: same for headers
+        result = self.send_typical_request(
+            b'GET / HTTP/1.1\r\nX-Foo: bar' + b'r' * 65537 + b'\r\n\r\n')
+        self.assertEqual(result[0], b'HTTP/1.1 400 Line too long\r\n')
+        self.assertFalse(self.handler.get_called)
+
 
 class BaseHTTPServerTestCase(BaseTestCase):
     class request_handler(NoLogRequestHandler, BaseHTTPRequestHandler):
diff --git a/Misc/NEWS b/Misc/NEWS
index def99aad1a8..0ff81decb7f 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -24,6 +24,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #6791: Limit header line length (to 65535 bytes) in http.client
+  and http.server, to avoid denial of services from the other party.
+
 - Issue #10404: Use ctl-button-1 on OSX for the context menu in Idle.
 
 - Issue #4188: Avoid creating dummy thread objects when logging operations