From 860c367c29eb557930099a7cc7fe297a259275f6 Mon Sep 17 00:00:00 2001 From: Georg Brandl Date: Tue, 30 Sep 2014 14:56:46 +0200 Subject: [PATCH] Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes and send a 414 error code for higher lengths. Patch contributed by Devin Cook. --- Lib/test/test_wsgiref.py | 5 +++++ Lib/wsgiref/simple_server.py | 9 ++++++++- Misc/ACKS | 1 + Misc/NEWS | 4 ++++ 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py index 08f8d9a6043..c0bfaa838a7 100644 --- a/Lib/test/test_wsgiref.py +++ b/Lib/test/test_wsgiref.py @@ -114,6 +114,11 @@ class IntegrationTests(TestCase): out, err = run_amock() self.check_hello(out) + def test_request_length(self): + out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n") + self.assertEqual(out.splitlines()[0], + b"HTTP/1.0 414 Request-URI Too Long") + def test_validated_hello(self): out, err = run_amock(validator(hello_app)) # the middleware doesn't support len(), so content-length isn't there diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py index af82f953c53..9c4a83d8982 100644 --- a/Lib/wsgiref/simple_server.py +++ b/Lib/wsgiref/simple_server.py @@ -114,7 +114,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler): def handle(self): """Handle a single HTTP request""" - self.raw_requestline = self.rfile.readline() + self.raw_requestline = self.rfile.readline(65537) + if len(self.raw_requestline) > 65536: + self.requestline = '' + self.request_version = '' + self.command = '' + self.send_error(414) + return + if not self.parse_request(): # An error code has been sent, just exit return diff --git a/Misc/ACKS b/Misc/ACKS index c1df48054f5..c183dc78f3d 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -219,6 +219,7 @@ Denver Coneybeare Geremy Condra Juan José Conti Matt Conway +Devin Cook David M. Cooke Jason R. Coombs Garrett Cooper diff --git a/Misc/NEWS b/Misc/NEWS index c6df72b0bb0..d8e61c30388 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,10 @@ What's New in Python 3.2.6? Library ------- +- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to + 65536 bytes and send a 414 error code for higher lengths. Patch contributed + by Devin Cook. + - Issue #22517: When a io.BufferedRWPair object is deallocated, clear its weakrefs.