[Python-bugs-list] [ python-Bugs-225744 ] httplib does not check if port is valid (easy to fix?)

noreply@sourceforge.net noreply@sourceforge.net
Sat, 09 Mar 2002 06:30:49 -0800

Bugs item #225744, was opened at 2000-12-13 22:45
You can respond by visiting: 

Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Luca de Alfaro (dealfaro)
Assigned to: Jeremy Hylton (jhylton)
Summary: httplib does not check if port is valid (easy to fix?)

Initial Comment:
In httplib.py, line 336, the following code appears: 

    def _set_hostport(self, host, port):
        if port is None:
            i = string.find(host, ':')
            if i >= 0:
                port = int(host[i+1:])
                host = host[:i]
                port = self.default_port
        self.host = host
        self.port = port

Ths code breaks if the host string ends with ":", so that
int("") is called.  In the old (1.5.2) version of this 
module, the corresponding int () conversion used to be 
enclosed in a try/except pair: 

                try: port = string.atoi(port)
                except string.atoi_error:
                    raise socket.error, "nonnumeric port"

and this fixed the problem.  
Note BTW that now the error reported by int is 
"ValueError: invalid literal for int():"
rather than the above string.atoi_error. 

I found this problem while downloading web pages, 
but unfortunately I cannot pinpoint which page 
caused the problem. 

Luca de Alfaro


>Comment By: Skip Montanaro (montanaro)
Date: 2002-03-09 08:30

Logged In: YES 

Here's a suggested patch that matches the exception
structure used by httplib.  It adds a subclass of 
HTTPException called InvalidURL and raises that when
int(port) gets incorrect input.


Comment By: MartinThomas (martinthomas)
Date: 2001-01-10 15:19

I have been trying to pin down a problem in Redhat's
Update agent which is written in Python (..mostly)
which happens when a proxy is specified. 

In RH7.0, they are still using Python 1.5.2 and the message
'nonnumeric port' is received when a proxy is specified
in the following form:
but  the following:
looking at the code, it seems that it expects that the only
colon would be near the end of the url and makes no
allowance for 'http:' nor 'https:'...

Regards / Martin


Comment By: Guido van Rossum (gvanrossum)
Date: 2000-12-18 16:38

Thanks for explaining this more.

I am surprised that a 301 redirect would give an invalid port -- but surely webmasters aren't perfect. :-)

The argument that urllib.Urlopener.open() checks for socket.error but not for other errors is a good one.

However I don't see the httplib.py code raising socket.error elsewhere.  I'll ask Jeremy.  The rest of the module seems to be using a totally different set of exceptions.  On the other hand, it *can* raise socket.error, implicitly (when various socket calls are being made).


Comment By: Luca de Alfaro (dealfaro)
Date: 2000-12-18 16:25

There are three (minor?) problems with raising

1) Compatibility.  I had some code for 1.5.2 that
was trying to load web pages checking for various
errors, and it was expecting this error to cause
a socket error, not a value error. 

2) Accuracy.  ValueError can be caused by
anything.  The 'non-numeric port' error is much 
more informative.  I don't want to catch
ValueError, because it can be caused in too 
many situations.  I also cannot check 
myself that the port is fine, because the 
port and the URL are often given by a  
redirect (errors 301 and 302, if I remember
correctly).  This in fact was the situation 
that caused the problem. 
Hence, my only real solution was to patch my version of httplib. 

3) Style.  I am somewhat new to Python, but I was
under the impression that, stilistically, 
a ValueError was used to convey a situation that
was the fault of the programmer, while other 
more specific errors were used for unexpected 
situations (communication, etc).  Since the 
socket is the result of a URL redirection 
(errors 301 or 302), the programmer is not in 
a position to prevent this error by "better 
checking".  Hence, I would consider a
network-relted exception to be more appropriate 

But who am I to argue with the creator of Python? 



Comment By: Guido van Rossum (gvanrossum)
Date: 2000-12-14 08:37

The only effect is that it raises ValueError instead of socket.error.
Where is this a problem?

(Note that string.atoi_error is an alias for ValueError.)


You can respond by visiting: 