[Python-checkins] cpython (3.3): Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
georg.brandl
python-checkins at python.org
Sun Oct 27 07:38:51 CET 2013
http://hg.python.org/cpython/rev/e445d02e5306
changeset: 86679:e445d02e5306
branch: 3.3
user: Georg Brandl <georg at python.org>
date: Sun Oct 27 07:34:48 2013 +0100
summary:
Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
100 headers are read. Adapted from patch by Jyrki Pulliainen.
files:
Doc/library/http.client.rst | 2 +-
Lib/http/client.py | 4 ++++
Lib/test/test_httplib.py | 9 +++++++++
Misc/NEWS | 3 +++
4 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/Doc/library/http.client.rst b/Doc/library/http.client.rst
--- a/Doc/library/http.client.rst
+++ b/Doc/library/http.client.rst
@@ -169,9 +169,9 @@
A subclass of :exc:`HTTPException`. Raised if a server responds with a HTTP
status code that we don't understand.
+
The constants defined in this module are:
-
.. data:: HTTP_PORT
The default port for the HTTP protocol (always ``80``).
diff --git a/Lib/http/client.py b/Lib/http/client.py
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@@ -214,6 +214,8 @@
# maximal line length when calling readline().
_MAXLINE = 65536
+_MAXHEADERS = 100
+
class HTTPMessage(email.message.Message):
# XXX The only usage of this method is in
@@ -261,6 +263,8 @@
if len(line) > _MAXLINE:
raise LineTooLong("header line")
headers.append(line)
+ if len(headers) > _MAXHEADERS:
+ raise HTTPException("got more than %d headers" % _MAXHEADERS)
if line in (b'\r\n', b'\n', b''):
break
hstring = b''.join(headers).decode('iso-8859-1')
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -345,6 +345,15 @@
self.fail("Did not expect response from HEAD request")
self.assertEqual(bytes(b), b'\x00'*5)
+ def test_too_many_headers(self):
+ headers = '\r\n'.join('Header%d: foo' % i
+ for i in range(client._MAXHEADERS + 1)) + '\r\n'
+ text = ('HTTP/1.1 200 OK\r\n' + headers)
+ s = FakeSocket(text)
+ r = client.HTTPResponse(s)
+ self.assertRaisesRegex(client.HTTPException,
+ r"got more than \d+ headers", r.begin)
+
def test_send_file(self):
expected = (b'GET /foo HTTP/1.1\r\nHost: example.com\r\n'
b'Accept-Encoding: identity\r\nContent-Length:')
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -81,6 +81,9 @@
Library
-------
+- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
+ 100 headers are read. Adapted from patch by Jyrki Pulliainen.
+
- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory. Patch by Jyrki
Pulliainen.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list