diff options
author | Senthil Kumaran <senthil@uthcode.com> | 2014-09-17 08:31:47 (GMT) |
---|---|---|
committer | Senthil Kumaran <senthil@uthcode.com> | 2014-09-17 08:31:47 (GMT) |
commit | 86c9e1877cc287b602e06f3627cda2d81cbd176a (patch) | |
tree | 78a3cae39e1115df4938744d8791dacd473e392d | |
parent | aa72b1b448d09ddbff737ee1a3e0cb40cb6ca047 (diff) | |
parent | e025b52db0651081eb08978efa850269c8282073 (diff) | |
download | cpython-86c9e1877cc287b602e06f3627cda2d81cbd176a.zip cpython-86c9e1877cc287b602e06f3627cda2d81cbd176a.tar.gz cpython-86c9e1877cc287b602e06f3627cda2d81cbd176a.tar.bz2 |
Merge from 3.3
Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes.
-rw-r--r-- | Lib/test/test_wsgiref.py | 5 | ||||
-rw-r--r-- | Lib/wsgiref/simple_server.py | 9 | ||||
-rw-r--r-- | Misc/ACKS | 1 | ||||
-rw-r--r-- | Misc/NEWS | 4 |
4 files changed, 18 insertions, 1 deletions
diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py index 901f3c9..e213d77 100644 --- a/Lib/test/test_wsgiref.py +++ b/Lib/test/test_wsgiref.py @@ -118,6 +118,11 @@ class IntegrationTests(TestCase): out, err = run_amock() self.check_hello(out) + def test_request_length(self): + out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n") + self.assertEqual(out.splitlines()[0], + b"HTTP/1.0 414 Request-URI Too Long") + def test_validated_hello(self): out, err = run_amock(validator(hello_app)) # the middleware doesn't support len(), so content-length isn't there diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py index cd9751a..378b316 100644 --- a/Lib/wsgiref/simple_server.py +++ b/Lib/wsgiref/simple_server.py @@ -115,7 +115,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler): def handle(self): """Handle a single HTTP request""" - self.raw_requestline = self.rfile.readline() + self.raw_requestline = self.rfile.readline(65537) + if len(self.raw_requestline) > 65536: + self.requestline = '' + self.request_version = '' + self.command = '' + self.send_error(414) + return + if not self.parse_request(): # An error code has been sent, just exit return @@ -272,6 +272,7 @@ Denver Coneybeare Phil Connell Juan José Conti Matt Conway +Devin Cook David M. Cooke Jason R. Coombs Garrett Cooper @@ -32,6 +32,10 @@ Core and Builtins Library ------- +- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to + 65536 bytes and send a 414 error code for higher lengths. Patch contributed + by Devin Cook. + - Lax cookie parsing in http.cookies could be a security issue when combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov. |