Issue #26586: Handle excessive header fields in http.server, by Xiang Zhang

2016-04-03 00:45:46 +00:00 · 2016-04-03 00:45:46 +00:00 · acc03195b0
parent af8363926a
commit acc03195b0
3 changed files with 18 additions and 0 deletions
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@ -337,6 +337,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
                HTTPStatus.BAD_REQUEST,
                "Line too long")
            return False
        except http.client.HTTPException as err:
            self.send_error(
                HTTPStatus.REQUEST_HEADER_FIELDS_TOO_LARGE,
                "Too many headers",
                str(err)
            )
            return False
        conntype = self.headers.get('Connection', "")
        if conntype.lower() == 'close':
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -858,6 +858,13 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
        self.assertFalse(self.handler.get_called)
        self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
    def test_too_many_headers(self):
        result = self.send_typical_request(
            b'GET / HTTP/1.1\r\n' + b'X-Foo: bar\r\n' * 101 + b'\r\n')
        self.assertEqual(result[0], b'HTTP/1.1 431 Too many headers\r\n')
        self.assertFalse(self.handler.get_called)
        self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
    def test_close_connection(self):
        # handle_one_request() should be repeatedly called until
        # it sets close_connection
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -99,6 +99,10 @@ Core and Builtins
 Library
 -------
 - Issue #26586: In http.server, respond with "413 Request header fields too
  large" if there are too many header fields to parse, rather than killing
  the connection and raising an unhandled exception.  Patch by Xiang Zhang.
 - Issue #22854: Change BufferedReader.writable() and
  BufferedWriter.readable() to always return False.