[Python-checkins] cpython (2.7): Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
senthil.kumaran
python-checkins at python.org
Wed Sep 17 10:33:01 CEST 2014
http://hg.python.org/cpython/rev/7a4d960fc801
changeset: 92452:7a4d960fc801
branch: 2.7
parent: 92443:9e765e65e5cb
user: Senthil Kumaran <senthil at uthcode.com>
date: Wed Sep 17 16:27:06 2014 +0800
summary:
Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes.
files:
Lib/test/test_wsgiref.py | 5 +++++
Lib/wsgiref/simple_server.py | 9 ++++++++-
Misc/ACKS | 1 +
Misc/NEWS | 4 ++++
4 files changed, 18 insertions(+), 1 deletions(-)
diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
@@ -113,6 +113,11 @@
out, err = run_amock()
self.check_hello(out)
+ def test_request_length(self):
+ out, err = run_amock(data="GET " + ("x" * 65537) + " HTTP/1.0\n\n")
+ self.assertEqual(out.splitlines()[0],
+ "HTTP/1.0 414 Request-URI Too Long")
+
def test_validated_hello(self):
out, err = run_amock(validator(hello_app))
# the middleware doesn't support len(), so content-length isn't there
diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py
--- a/Lib/wsgiref/simple_server.py
+++ b/Lib/wsgiref/simple_server.py
@@ -113,7 +113,14 @@
def handle(self):
"""Handle a single HTTP request"""
- self.raw_requestline = self.rfile.readline()
+ self.raw_requestline = self.rfile.readline(65537)
+ if len(self.raw_requestline) > 65536:
+ self.requestline = ''
+ self.request_version = ''
+ self.command = ''
+ self.send_error(414)
+ return
+
if not self.parse_request(): # An error code has been sent, just exit
return
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -268,6 +268,7 @@
Phil Connell
Juan José Conti
Matt Conway
+Devin Cook
David M. Cooke
Jason R. Coombs
Garrett Cooper
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -21,6 +21,10 @@
Library
-------
+- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
+ 65536 bytes and send a 414 error code for higher lengths. Patch contributed
+ by Devin Cook.
+
- Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers. Reported by
Sergey Bobrov.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list