diff options
| author | Gen Xu <xgbarry@gmail.com> | 2021-05-05 22:42:41 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-05 22:42:41 (GMT) |
| commit | 47895e31b6f626bc6ce47d175fe9d43c1098909d (patch) | |
| tree | 2240921e2bb4cdbfd9b59ad04984fd67e25598c3 /Lib/test/test_httplib.py | |
| parent | da5c808fb50d34bc2e180d9481706072f33025da (diff) | |
| download | cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.zip cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.tar.gz cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.tar.bz2 | |
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Diffstat (limited to 'Lib/test/test_httplib.py')
| -rw-r--r-- | Lib/test/test_httplib.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py index db41e29..e927256 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -1180,6 +1180,14 @@ class BasicTest(TestCase): resp = client.HTTPResponse(FakeSocket(body)) self.assertRaises(client.LineTooLong, resp.begin) + def test_overflowing_header_limit_after_100(self): + body = ( + 'HTTP/1.1 100 OK\r\n' + 'r\n' * 32768 + ) + resp = client.HTTPResponse(FakeSocket(body)) + self.assertRaises(client.HTTPException, resp.begin) + def test_overflowing_chunked_line(self): body = ( 'HTTP/1.1 200 OK\r\n' @@ -1581,7 +1589,7 @@ class Readliner: class OfflineTest(TestCase): def test_all(self): # Documented objects defined in the module should be in __all__ - expected = {"responses"} # White-list documented dict() object + expected = {"responses"} # Allowlist documented dict() object # HTTPMessage, parse_headers(), and the HTTP status code constants are # intentionally omitted for simplicity denylist = {"HTTPMessage", "parse_headers"} |