summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2014-09-30 12:56:46 (GMT)
committerGeorg Brandl <georg@python.org>2014-09-30 12:56:46 (GMT)
commit860c367c29eb557930099a7cc7fe297a259275f6 (patch)
treef1b368e97e9ca6d9be8fd55872d46a0e65627456
parent21bf3f942be920f3b051f6af43f7c37b9aa5cff3 (diff)
downloadcpython-860c367c29eb557930099a7cc7fe297a259275f6.zip
cpython-860c367c29eb557930099a7cc7fe297a259275f6.tar.gz
cpython-860c367c29eb557930099a7cc7fe297a259275f6.tar.bz2
Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
65536 bytes and send a 414 error code for higher lengths. Patch contributed by Devin Cook.
Diffstat
-rw-r--r--Lib/test/test_wsgiref.py5
-rw-r--r--Lib/wsgiref/simple_server.py9
-rw-r--r--Misc/ACKS1
-rw-r--r--Misc/NEWS4
4 files changed, 18 insertions, 1 deletions
diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
index 08f8d9a..c0bfaa8 100644
--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
@@ -114,6 +114,11 @@ class IntegrationTests(TestCase):
out, err = run_amock()
self.check_hello(out)
+ def test_request_length(self):
+ out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n")
+ self.assertEqual(out.splitlines()[0],
+ b"HTTP/1.0 414 Request-URI Too Long")
+
def test_validated_hello(self):
out, err = run_amock(validator(hello_app))
# the middleware doesn't support len(), so content-length isn't there
diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py
index af82f95..9c4a83d 100644
--- a/Lib/wsgiref/simple_server.py
+++ b/Lib/wsgiref/simple_server.py
@@ -114,7 +114,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler):
def handle(self):
"""Handle a single HTTP request"""
- self.raw_requestline = self.rfile.readline()
+ self.raw_requestline = self.rfile.readline(65537)
+ if len(self.raw_requestline) > 65536:
+ self.requestline = ''
+ self.request_version = ''
+ self.command = ''
+ self.send_error(414)
+ return
+
if not self.parse_request(): # An error code has been sent, just exit
return
diff --git a/Misc/ACKS b/Misc/ACKS
index c1df480..c183dc7 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -219,6 +219,7 @@ Denver Coneybeare
Geremy Condra
Juan José Conti
Matt Conway
+Devin Cook
David M. Cooke
Jason R. Coombs
Garrett Cooper
diff --git a/Misc/NEWS b/Misc/NEWS
index c6df72b..d8e61c30 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,10 @@ What's New in Python 3.2.6?
Library
-------
+- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
+ 65536 bytes and send a 414 error code for higher lengths. Patch contributed
+ by Devin Cook.
+
- Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
weakrefs.
generated by cgit v0.12 at 2024-11-16 20:08:05 (GMT)