cpython.git/Lib/test/test_httpservers.py, branch v3.11.15 https://github.com/python/cpython.git [3.11] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) (#142298) 2026-01-25T17:10:45Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2026-01-25T17:10:45Z fa1aae0e3430930acba1fe3e13eb31ff150ec896 [3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) The CGI server on Windows could consume the amount of memory specified in the Content-Length header of the request even if the client does not send such much data. Now it reads the POST request body by chunks, therefore the memory consumption is proportional to the amount of sent data. (cherry picked from commit 0e4f4f1a4633f2d215fb5a803cae278aeea31845) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> 
[3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216)

The CGI server on Windows could consume the amount of memory specified
in the Content-Length header of the request even if the client does not
send such much data. Now it reads the POST request body by chunks,
therefore the memory consumption is proportional to the amount of sent
data.
(cherry picked from commit 0e4f4f1a4633f2d215fb5a803cae278aeea31845)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 [3.11] gh-105821: Use a raw f-string in test_httpservers.py (GH-105822) (#108576) 2023-08-28T17:44:13Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2023-08-28T17:44:13Z ed749be3aab081ce4e5d54e0273b96bdea02983f gh-105821: Use a raw f-string in test_httpservers.py (GH-105822) Use a raw f-string in test_httpservers.py (cherry picked from commit 09ce8c3b48f940eb8865330f029b8069854c3106) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> 
gh-105821: Use a raw f-string in test_httpservers.py (GH-105822)

Use a raw f-string in test_httpservers.py
(cherry picked from commit 09ce8c3b48f940eb8865330f029b8069854c3106)

Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
 [3.11] gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (GH-103205) (#104438) 2023-05-12T20:54:12Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2023-05-12T20:54:12Z b4c1ca29ccd45c608ff01ce0a4608b1837715573 gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (GH-103205) Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long. --------- (cherry picked from commit cf720acfcbd8c9c25a706a4b6df136465a803992) Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Gregory P. Smith <greg@krypto.org> 
gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (GH-103205)

Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.

---------

(cherry picked from commit cf720acfcbd8c9c25a706a4b6df136465a803992)

Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
 [3.11] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104123) 2023-05-03T04:27:04Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2023-05-03T04:27:04Z 4536b2ec18d0e58e8e4b3167643966c8438775af gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> 
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

---------

(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
 [3.11] gh-100474: Fix handling of dirs named index.html in http.server (GH-100505) 2022-12-24T20:28:41Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2022-12-24T20:28:41Z 714a93f6383042c1c12d9bdf2b5c2cdd7a72c20d Co-authored-by: James Frost <git@frost.cx> 
Co-authored-by: James Frost <git@frost.cx>
 gh-100001: Also escape \s in http.server log messages. (GH-100038) 2022-12-05T22:53:41Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2022-12-05T22:53:41Z b2ff0f761de4dc8e7bf0fea3c64bb25d9fcfcd36 Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. (cherry picked from commit 7e29398407dbd53b714702abb89aa2fd7baca48a) Co-authored-by: Gregory P. Smith <greg@krypto.org> 
Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so
that it is technically possible to parse the line and reconstruct what the
original data was.  Without this a \xHH is ambiguious as to if it is a hex
replacement we put in or the characters r"\x" came through in the original
request line.
(cherry picked from commit 7e29398407dbd53b714702abb89aa2fd7baca48a)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
 gh-100001: Omit control characters in http.server stderr logs. (GH-100002) 2022-12-05T21:39:22Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2022-12-05T21:39:22Z a726f747e659efed674db1ebf57218c20d8c0c39 Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org> 
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
 gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) 2022-06-21T21:29:03Z Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com 2022-06-21T21:29:03Z e2e8847bf52f4a81490653c6d13b7e3821b2c2be Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) Co-authored-by: Gregory P. Smith <greg@krypto.org> 
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
 bpo-47061: deprecate cgi and cgitb (GH-32410) 2022-04-09T00:15:35Z Brett Cannon brett@python.org 2022-04-09T00:15:35Z cd29bd13ef1fe18970c5d43b66c545dd03117cb9 Part of PEP 594. 
Part of PEP 594.
 bpo-40280: Skip socket, fork, subprocess tests on Emscripten (GH-31986) 2022-03-22T10:04:36Z Christian Heimes christian@python.org 2022-03-22T10:04:36Z deeaac49e267285158264643799624623f4a7b29 - Add requires_fork and requires_subprocess to more tests - Skip extension import tests if dlopen is not available - Don't assume that _testcapi is a shared extension - Skip a lot of socket tests that don't work on Emscripten - Skip mmap tests, mmap emulation is incomplete - venv does not work yet - Cannot get libc from executable The "entire" test suite is now passing on Emscripten with EMSDK from git head (91 suites are skipped). 
- Add requires_fork and requires_subprocess to more tests
- Skip extension import tests if dlopen is not available
- Don't assume that _testcapi is a shared extension
- Skip a lot of socket tests that don't work on Emscripten
- Skip mmap tests, mmap emulation is incomplete
- venv does not work yet
- Cannot get libc from executable

The "entire" test suite is now passing on Emscripten with EMSDK from git head (91 suites are skipped).