[Python-checkins] cpython (merge 3.5 -> default): Issue #26586: Merge excessive HTTP header handling from 3.5

martin.panter python-checkins at python.org
Sat Apr 2 22:02:20 EDT 2016 

https://hg.python.org/cpython/rev/e8edddb4f74b
changeset:   100837:e8edddb4f74b
parent:      100835:23d986228c6b
parent:      100836:f5247195238f
user:        Martin Panter <vadmium+py at gmail.com>
date:        Sun Apr 03 01:28:49 2016 +0000
summary:
  Issue #26586: Merge excessive HTTP header handling from 3.5

files:
  Lib/http/server.py           |  7 +++++++
  Lib/test/test_httpservers.py |  7 +++++++
  Misc/NEWS                    |  4 ++++
  3 files changed, 18 insertions(+), 0 deletions(-)


diff --git a/Lib/http/server.py b/Lib/http/server.py
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -338,6 +338,13 @@
                 HTTPStatus.BAD_REQUEST,
                 "Line too long")
             return False
+        except http.client.HTTPException as err:
+            self.send_error(
+                HTTPStatus.REQUEST_HEADER_FIELDS_TOO_LARGE,
+                "Too many headers",
+                str(err)
+            )
+            return False
 
         conntype = self.headers.get('Connection', "")
         if conntype.lower() == 'close':
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -859,6 +859,13 @@
         self.assertFalse(self.handler.get_called)
         self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
 
+    def test_too_many_headers(self):
+        result = self.send_typical_request(
+            b'GET / HTTP/1.1\r\n' + b'X-Foo: bar\r\n' * 101 + b'\r\n')
+        self.assertEqual(result[0], b'HTTP/1.1 431 Too many headers\r\n')
+        self.assertFalse(self.handler.get_called)
+        self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
+
     def test_close_connection(self):
         # handle_one_request() should be repeatedly called until
         # it sets close_connection
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -237,6 +237,10 @@
 Library
 -------
 
+- Issue #26586: In http.server, respond with "413 Request header fields too
+  large" if there are too many header fields to parse, rather than killing
+  the connection and raising an unhandled exception.  Patch by Xiang Zhang.
+
 - Issue #26676: Added missing XMLPullParser to ElementTree.__all__.
 
 - Issue #22854: Change BufferedReader.writable() and

-- 
Repository URL: https://hg.python.org/cpython

More information about the Python-checkins mailing list