Issue #26586: Handle excessive header fields in http.server, by Xiang Zhang

2016-04-03 00:45:46 +00:00 · 2016-04-03 00:45:46 +00:00 · acc03195b0
parent af8363926a
commit acc03195b0
3 changed files with 18 additions and 0 deletions
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@ -337,6 +337,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
                HTTPStatus.BAD_REQUEST,
                "Line too long")
            return False
+        except http.client.HTTPException as err:
+            self.send_error(
+                HTTPStatus.REQUEST_HEADER_FIELDS_TOO_LARGE,
+                "Too many headers",
+                str(err)
+            )
+            return False

        conntype = self.headers.get('Connection', "")
        if conntype.lower() == 'close':
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -858,6 +858,13 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
        self.assertFalse(self.handler.get_called)
        self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')

+    def test_too_many_headers(self):
+        result = self.send_typical_request(
+            b'GET / HTTP/1.1\r\n' + b'X-Foo: bar\r\n' * 101 + b'\r\n')
+        self.assertEqual(result[0], b'HTTP/1.1 431 Too many headers\r\n')
+        self.assertFalse(self.handler.get_called)
+        self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
+
    def test_close_connection(self):
        # handle_one_request() should be repeatedly called until
        # it sets close_connection
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -99,6 +99,10 @@ Core and Builtins
 Library
 -------

+- Issue #26586: In http.server, respond with "413 Request header fields too
+  large" if there are too many header fields to parse, rather than killing
+  the connection and raising an unhandled exception.  Patch by Xiang Zhang.
+
 - Issue #22854: Change BufferedReader.writable() and
  BufferedWriter.readable() to always return False.