Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more

than 100 headers are read.

Patch by Jyrki Pulliainen and Daniel Eriksson.

1 files changed, 6 insertions, 0 deletions

diff --git a/Lib/httplib.py b/Lib/httplib.py
index 5368cd9..b2f6e5c 100644
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -215,6 +215,10 @@ MAXAMOUNT = 1048576
 # maximal line length when calling readline().
 _MAXLINE = 65536
 
+# maximum amount of headers accepted
+_MAXHEADERS = 100
+
+
 class HTTPMessage(mimetools.Message):
 
     def addheader(self, key, value):
@@ -271,6 +275,8 @@ class HTTPMessage(mimetools.Message):
         elif self.seekable:
             tell = self.fp.tell
         while True:
+            if len(hlist) > _MAXHEADERS:
+                raise HTTPException("got more than %d headers" % _MAXHEADERS)
             if tell:
                 try:
                     startofline = tell()