diff --git a/Lib/httplib.py b/Lib/httplib.py index e1ace4dfe06..5af0d029557 100644 --- a/Lib/httplib.py +++ b/Lib/httplib.py @@ -212,6 +212,9 @@ responses = { # maximal amount of data to read at one time in _safe_read MAXAMOUNT = 1048576 +# maximal line length when calling readline(). +_MAXLINE = 65536 + class HTTPMessage(mimetools.Message): def addheader(self, key, value): @@ -274,7 +277,9 @@ class HTTPMessage(mimetools.Message): except IOError: startofline = tell = None self.seekable = 0 - line = self.fp.readline() + line = self.fp.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise LineTooLong("header line") if not line: self.status = 'EOF in headers' break @@ -404,7 +409,10 @@ class HTTPResponse: break # skip the header from the 100 response while True: - skip = self.fp.readline().strip() + skip = self.fp.readline(_MAXLINE + 1) + if len(skip) > _MAXLINE: + raise LineTooLong("header line") + skip = skip.strip() if not skip: break if self.debuglevel > 0: @@ -563,7 +571,9 @@ class HTTPResponse: value = [] while True: if chunk_left is None: - line = self.fp.readline() + line = self.fp.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise LineTooLong("chunk size") i = line.find(';') if i >= 0: line = line[:i] # strip chunk-extensions @@ -598,7 +608,9 @@ class HTTPResponse: # read and discard trailer up to the CRLF terminator ### note: we shouldn't have any trailers! while True: - line = self.fp.readline() + line = self.fp.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise LineTooLong("trailer line") if not line: # a vanishingly small number of sites EOF without # sending the trailer @@ -730,7 +742,9 @@ class HTTPConnection: raise socket.error("Tunnel connection failed: %d %s" % (code, message.strip())) while True: - line = response.fp.readline() + line = response.fp.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise LineTooLong("header line") if line == '\r\n': break @@ -1233,6 +1247,11 @@ class BadStatusLine(HTTPException): self.args = line, self.line = line +class LineTooLong(HTTPException): + def __init__(self, line_type): + HTTPException.__init__(self, "got more than %d bytes when reading %s" + % (_MAXLINE, line_type)) + # for backwards compatibility error = HTTPException diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index bb6d3cf42f3..2708728e801 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -319,6 +319,35 @@ class BasicTest(TestCase): self.assertTrue(hasattr(resp,'fileno'), 'HTTPResponse should expose a fileno attribute') + # Test lines overflowing the max line size (_MAXLINE in http.client) + + def test_overflowing_status_line(self): + self.skipTest("disabled for HTTP 0.9 support") + body = "HTTP/1.1 200 Ok" + "k" * 65536 + "\r\n" + resp = httplib.HTTPResponse(FakeSocket(body)) + self.assertRaises((httplib.LineTooLong, httplib.BadStatusLine), resp.begin) + + def test_overflowing_header_line(self): + body = ( + 'HTTP/1.1 200 OK\r\n' + 'X-Foo: bar' + 'r' * 65536 + '\r\n\r\n' + ) + resp = httplib.HTTPResponse(FakeSocket(body)) + self.assertRaises(httplib.LineTooLong, resp.begin) + + def test_overflowing_chunked_line(self): + body = ( + 'HTTP/1.1 200 OK\r\n' + 'Transfer-Encoding: chunked\r\n\r\n' + + '0' * 65536 + 'a\r\n' + 'hello world\r\n' + '0\r\n' + ) + resp = httplib.HTTPResponse(FakeSocket(body)) + resp.begin() + self.assertRaises(httplib.LineTooLong, resp.read) + + class OfflineTest(TestCase): def test_responses(self): self.assertEqual(httplib.responses[httplib.NOT_FOUND], "Not Found") diff --git a/Misc/NEWS b/Misc/NEWS index f3355af3ace..19d6c418e8b 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -22,6 +22,9 @@ Core and Builtins Library ------- +- Issue #6791: Limit header line length (to 65535 bytes) in http.client, + to avoid denial of services from the other party. + - Issue #10404: Use ctl-button-1 on OSX for the context menu in Idle. - Issue #9907: Fix tab handling on OSX when using editline by calling